Security & data handling

All traffic to Advottic is served over HTTPS with TLS 1.2+. Strict-Transport-Security (HSTS) is enabled on the production domain.

• Database: Postgres on Supabase, AES-256 encrypted at rest. Per-row access enforced by Row-Level Security policies tied to your user ID.
• Files: exhibit uploads sit in a private storage bucket. Path-scoped policies ensure users only see files for cases they own or were invited into.
• Secrets: API keys and webhook secrets are stored as encrypted environment variables on Vercel. Service-role keys never reach the browser.

• Sign-in via Google OAuth, Microsoft OAuth, or email magic links - issued by Supabase Auth. We never see your password.
• Session cookies are HTTP-only, Secure, and SameSite=Lax.
• Sign-out invalidates the session immediately and clears auth cookies in the browser.

• RLS denies cross-user reads and writes by default.
• Admin tools are gated by a `is_admin` flag on the profiles table.
• Webhook endpoints verify signatures before processing.

Vercel (hosting), Supabase (auth + database + storage), Anthropic (AI processing for Legal Eye and Bella), Stripe (subscription billing). Inputs to Anthropic are not used to train models per Anthropic's commercial terms.

Email contact@advottic.com with subject line [security]. We aim to acknowledge within 2 business days. Please don't publicly disclose before we've had a chance to investigate and fix.