Security
How we secure data in transit, at rest, and through our sub-processors. Vulnerability reporting below; the bottom section is an honest enumeration of what we have NOT yet built.
1. Data in transit
All traffic to Blindspot is served over HTTPS using TLS 1.3 via Vercel-managed certificates. API requests, page renders, and static asset fetches all share the same TLS termination. We do not maintain a non-HTTPS surface.
2. Data at rest
User data lives in Supabase Postgres with encryption-at-rest enabled (AES-256). Brokerage credentials (Plaid access tokens, SnapTrade userSecrets) are additionally encrypted at the application layer using AES-256-GCM before they hit the database -- see Privacy §4 for the full disclosure.
No PII appears in application logs: emails are redacted to local-part hashes before any structured log line is emitted, and request bodies are never logged verbatim.
3. Authentication
Sign-in is handled by Supabase Auth with email verification required before a session is issued. Password rules are enforced server-side at sign-up and surfaced to the user as a live checklist on the form (see src/lib/auth/password.ts):
- At least 8 characters
- One uppercase letter
- One lowercase letter
- One number
- One symbol
Passwords are never visible to us -- Supabase Auth hashes them before they cross the trust boundary.
4. Third-party processors
Blindspot relies on a small list of third-party processors; each handles a specific slice of the workload and is governed by its own controls and policies.
- Vercel -- hosting and edge routing. vercel.com/legal/privacy-policy
- Supabase -- Postgres data store and authentication. supabase.com/privacy
- Stripe -- subscription billing. We never receive card data; see Privacy §5. stripe.com/legal
- SnapTrade -- read-only brokerage data, when you connect a brokerage. snaptrade.com/legal
- Yahoo Finance -- daily market price data. We send only ticker symbols and never share account or PII data.
5. Vulnerability reporting
Found a vulnerability? Email us at hello@blindspot.fyi. We respond to all reports within 5 business days. Please include enough detail to reproduce the issue, the URL or endpoint involved, and your contact preference for the follow-up.
We do not currently run a paid bug bounty, but we welcome coordinated disclosure and will credit reporters who request it.
6. Out of scope for v1
We owe you an honest list of what is not yet shipped. The following are on the roadmap, not currently in place:
- SOC2 -- not yet audited. Initial readiness work is on the institutional-tier roadmap.
- ISO 27001 -- not yet certified.
- SSO -- single sign-on (SAML / OIDC) is not yet supported for customer accounts.
- Two-factor authentication (2FA) -- not yet shipped for end users. Supabase Auth MFA is the expected vehicle when this lands.
- Formal penetration test -- no third-party pen-test results are available yet. We run internal review on a best-effort basis.
We will update this page as each of the above lands. We prefer this honest enumeration to a polished claim that omits gaps.
Home · Privacy · Methodology · Contact