Isolation
Every row in the database carries an org_id. A single Prisma extension (forOrg(orgId)) auto-injects this filter on reads and writes for org-scoped models, so a missing scope is impossible by construction. An integration test suite (tests/integration/isolation.test.ts) actively tries to read and write other orgs' data and asserts every attempt fails.
Encryption
- In transit: HTTPS only, HSTS, secure cookies (real auth ships with the next milestone).
- At rest: the managed database encrypts disks. Your bring-your-own email credentials are additionally encrypted with AES-256-GCM and a server-only key (
EMAIL_CREDENTIAL_KEY), and never returned to the client.
Payments
We never store card numbers, CVCs, or expiry dates. All payment flows redirect to Stripe Checkout / Customer Portal. We store only Stripe identifiers and the plan / subscription status we mirror via webhooks.
Backups + restore
Production Postgres is a managed service (Neon, Supabase, or RDS depending on the deployment). Daily automated snapshots are retained for at least 7 days. We test a restore at least once per quarter against a throwaway database.
Logging + alerting
Server errors and unhandled rejections route to Sentry (when SENTRY_DSN is configured). Webhook handler failures and billing reconciliation drift trigger alerts.
Data export
You can export every row in your workspace as JSON from /settings at any time, including activity log and email log entries — see /privacy for the catalog.
Reporting an issue
If you think you've found a vulnerability, email hi@hoursmith.app. We respond within 72 hours and credit reporters with their permission.