Trust & Security

Brokerage OAuth tokens are encrypted at rest with AES-256-GCM via per-record IVs and authenticated tags. Plaintext tokens are never written to disk or logs. The same scheme protects refresh tokens, which we rotate on use. All traffic uses TLS 1.2+ via HTTPS, enforced end-to-end by Vercel and Supabase.

We honour GDPR (access, portability, erasure, rectification) and CCPA (know, delete, opt out of sale/share). Self-serve flows are in your privacy settings. California residents: Your Privacy Choices.

Errors flow into Sentry with token redaction before transmission. Dependencies are kept current (npm audit + Dependabot). Production secrets are rotated at least quarterly. We follow the principle of least privilege for every service role and database policy.

Every third-party service that touches your data is listed at /subprocessors, along with what data they receive and where they operate. We notify users at least 30 days before changing the list.

If you think you’ve found a security issue, email security@ruleguardian.co. We acknowledge reports within 2 business days and patch P0/P1 issues as fast as we can. We don’t run a paid bug bounty yet — we’ll credit reporters who want it.