Security at SourceGent

SourceGent is built on enterprise-grade cloud infrastructure designed for reliability and security:

Every piece of data in SourceGent is scoped to the authenticated user and their company. We enforce this at the database level using Supabase Row Level Security (RLS), not just in application code.

What This Means

• Your proposals, documents, and company profile are never visible to other users
• Multi-company accounts enforce company-level isolation: Company A cannot access Company B data
• Team members only see data scoped to the companies they have been explicitly invited to
• RLS policies are validated at the PostgreSQL query layer, providing defense-in-depth even if application code has a bug

Proposal Sharing

The optional review portal generates cryptographically random 48-character share tokens. Shared links expire after 90 days by default. Tokens are rate-limited to prevent brute-force enumeration. You can revoke any share link at any time from your account settings.

• Passwords are hashed using bcrypt via Supabase Auth: we never store plaintext passwords
• Email verification is required before accessing AI features
• Secure HTTP-only session cookies with short-lived JWT tokens
• All authenticated routes are protected server-side; client-side guards are defense-in-depth only
• Team invitations expire and are single-use; they cannot be redeemed by unintended recipients
• Account deletion triggers cascading removal of all associated data via database constraints

We use Anthropic's Claude API to analyze documents and generate proposal content. We take the following measures when handling AI processing:

Data in Transit to Anthropic

• All API calls to Anthropic are made over HTTPS/TLS
• We operate under Anthropic's commercial API terms, which prohibit training on API inputs without explicit opt-in
• Your document content is never shared with other SourceGent users or organizations
• We do not use your proposals or documents to fine-tune or train any AI model

AI Usage Controls

• Per-endpoint rate limiting prevents abuse and controls API costs (these throttles favor availability: a transient check failure allows the request rather than blocking legitimate work)
• Daily cost caps enforce per-plan AI usage budgets and fail closed: if the day's usage cannot be verified, AI requests are denied until it can be, never allowed to run uncapped
• Every AI call is logged to an internal usage table for quota tracking and anomaly detection
• Feature gates fail closed: an error during access checks denies access, not grants it

Input Validation & File Handling

• File uploads are validated using magic byte inspection: file extensions alone are not trusted
• Uploaded files are stored in isolated Supabase Storage buckets, not served from the web root
• All user-supplied input is sanitized before database writes
• API routes enforce strict field whitelists: arbitrary column injection is prevented server-side

Request Security

• Content Security Policy (CSP) headers on all responses
• CORS configured to restrict cross-origin access to authorized domains only
• Stripe webhook signature verification on all incoming payment events
• Cron endpoints protected by secret token authentication

Audit Logging

• Sensitive mutations are recorded in an audit log table
• Failed audit log writes are captured as Sentry warnings for compliance visibility
• Admin access is restricted via server-side email allowlist enforcement

Optimistic Locking

Proposal section saves use timestamp-based optimistic locking. If two users (or two tabs) attempt to save the same section simultaneously, the second write is rejected with a conflict warning rather than silently overwriting work.

• All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor
• We never store, transmit, or log raw credit card numbers or CVV codes
• Stripe customer IDs are cross-validated against user accounts on every webhook event
• Subscription downgrade logic runs on a scheduled cron job, ensuring expired subscriptions are caught even if webhooks fail

• Error monitoring: Sentry captures application exceptions in real time with full stack traces
• Performance monitoring: Vercel analytics tracks function latency and error rates
• Dependency updates: We monitor and apply security patches to our dependency tree on a regular basis

In the event of a data breach that affects your personal information, we will notify affected users in accordance with applicable laws, including providing details about what was affected and steps taken to address the issue.

We welcome security researchers and users to report potential vulnerabilities. If you believe you have found a security issue in SourceGent, please report it to us before disclosing it publicly.

We do not currently offer a bug bounty program, but we do acknowledge responsible disclosures and take every report seriously.

Have security questions that aren't answered here? Contact us: