Security

Authentication

• Sign in with Apple on iOS and the web. No password storage means no password leaks.
• Email magic link as a fallback on the web. Tokens are single-use and expire in 60 minutes.
• JWT sessions backed by HTTP-only cookies, refreshed in middleware on every request.
• Cross-subdomain cookies scoped to .onetruth.app only. Never shipped to third-party domains.

Authorization

• Postgres Row-Level Security on every table. A user can only ever read their own rows; sharing happens through explicit workspace membership.
• Per-resource permissions for shared bills, notes, and documents (owner / editor / commenter / viewer).
• Service-role keys live only in server-side environment variables, never in client bundles.

Encryption

• Data at rest: AES-256 (Postgres + Supabase Storage).
• Data in transit: TLS 1.3 with HSTS preloaded.
• Backups: encrypted, stored in a different region.

Vendors

The full list of third parties that ever touch your data:

• Apple — sign-in identity, push notifications, App Store billing.
• Plaid — bank account linking. Plaid sees your bank credentials; we never do.
• Supabase — Postgres, Auth, Storage, Realtime, Edge Functions.
• Resend — transactional email delivery.
• Vercel — web hosting and CDN.
• Cloudflare — DNS and email routing.

Each vendor is bound by a data processing agreement. None are permitted to use your data for their own purposes. We periodically audit which vendors hold which data and remove any unnecessary sharing.

Disclosure policy

If we discover a security incident that affects your data, we'll email you within 72 hours of discovery, with details of what happened and what you should do. We'll also publish a postmortem on this page within 14 days.

Reporting a vulnerability

Found something? Email support@onetruth.appwith details. We respond within 1 business day, fix promptly, and credit you in the changelog if you'd like.