Security

Authentication & Account Access

• Email + password authentication via Supabase Auth. Passwords are stored as bcrypt hashes by Supabase; we never see your plaintext password.
• Passwords must be at least 12 characters and include characters from multiple classes (letters, digits, symbols). Common passwords are rejected at signup.
• Sign-in sessions are HTTPS-only with httpOnly and SameSite=Lax cookies, refreshed automatically.
• Password reset goes through a one-time email link, never recovery questions.

Data Protection

• In transit: HTTPS on every request, enforced by HSTS so browsers refuse plaintext fallback.
• At rest: Supabase encrypts the database and backups at rest using AES-256.
• Per-household isolation:every household has its own row-level-security policies on the database. Members of household A cannot read household B's tasks, shopping list, or contacts even if they had direct database access.
• Sensitive tokens: Outlook calendar OAuth refresh tokens and quick-add API tokens live in tables that deny direct reads to anyone other than the server process. Quick-add tokens are stored as hashes; the plaintext is only shown to you once at creation.

Application Security

• Content Security Policy restricts what the browser will execute and where it can connect to.
• HSTS preload on the production domain.
• X-Frame-Options: DENY blocks embedding Suzy in an iframe (defends against clickjacking).
• X-Content-Type-Options: nosniff prevents browsers from second-guessing content types.
• Strict referrer policyso we don't leak your in-app URLs to external sites.
• No client-side secrets. Service keys (Supabase service role, Resend, Anthropic, Microsoft client secret) live only in the server environment and are never sent to the browser.
• Input validation happens server-side on every action, not just client-side.
• Rate limiting on AI capture (per user) and on push subscription registration prevents abuse.

Operational Practices

• Hosting: Vercel (serverless functions and static assets). Vercel is SOC 2 Type II audited.
• Database + auth: Supabase. Supabase is SOC 2 Type II audited and HIPAA compliant.
• Backups: Supabase performs daily backups with point-in-time recovery on the production database.
• Secrets management:environment variables are stored in Vercel's encrypted store, not in source control.
• Source code: private GitHub repository.
• Dependency updates: reviewed before merging; production dependencies are kept lean.

Sub-Processors

We use a small set of third-party services to operate Suzy (hosting, authentication, email delivery, AI text processing, optional calendar integration, and SMS delivery via Twilio). The full list and what each does is described in our Privacy Policy. These vendors act as processors on our behalf and only access the data necessary for their function.

What We Have NOT Done

For honesty: Suzy is a small beta. We have notpursued formal certification like SOC 2 Type II, ISO 27001, or HIPAA — those audits are designed for B2B SaaS pitching to enterprise customers, and the audit cost would be many multiples of the project's operating cost today.

We also have not had a formal third-party penetration test. What we have is the platform-level audits of the vendors we build on (Supabase, Vercel) and the controls listed above. If you need a higher assurance level for your use case, reach out and we'll be transparent about whether Suzy is the right fit.

Reporting a Vulnerability

If you believe you've found a security issue in Suzy, please tell us before disclosing it publicly. Submit a report via our contact form and pick the “Security report” category. We aim to acknowledge reports within two business days.

Our contact and policy are also published at /.well-known/security.txt in the standard RFC 9116 format.