Security

An overview of the controls we use to protect CoStartups and how to report a security issue.

Last updated: 22 May 2026

1. Overview

CoStartups handles professional and contact data for a closed network. Security is built into authentication, database access, file storage, and deployment. This page describes our approach. It is not a certification or audit report.

2. Authentication

  • User authentication is handled by Supabase Auth
  • Passwords are hashed by the auth provider; we never store or log plain-text passwords
  • Sessions use HTTP-only cookies with secure flags in production
  • OAuth sign-in is supported where configured; tokens are managed by the auth provider

You are responsible for using a strong, unique password and keeping your login credentials private.

3. Database and access control

  • Application data is stored in PostgreSQL on Supabase
  • Row Level Security (RLS) is enabled on user tables. Users can only modify their own profiles, posts, and related records unless policy explicitly allows read access
  • Server-side actions use authenticated sessions; privileged operations run on the server, not in the browser
  • Database credentials and service keys are not exposed to client-side code

4. File storage

  • Profile photos and cover images are stored in Supabase Storage
  • Upload paths are scoped per user ID
  • Storage policies restrict writes to the owning account
  • Allowed file types and size limits are enforced on upload (JPEG, PNG, WebP; 5MB max)

5. Transport and hosting

  • CoStartups is served over HTTPS (TLS) in production
  • The application is hosted on Vercel with industry-standard edge and serverless infrastructure
  • Environment secrets (API keys, database URLs) are stored as platform environment variables, not in source code

6. Application practices

  • Protected routes require a valid session before onboarding, profile editing, and posting
  • User input is stored as provided; we rely on framework defaults and server validation for critical actions
  • Dependencies are updated as part of regular maintenance

7. Incident response

If we confirm a breach affecting personal data, we will investigate promptly, take steps to contain it, and notify affected users and regulators where required under UK law.

8. Report a vulnerability

If you believe you have found a security vulnerability in CoStartups, report it to security@costartups.app. Include enough detail for us to reproduce the issue. Do not publicly disclose before we have had a reasonable time to investigate.

We do not operate a paid bug bounty programme at this time. We acknowledge good-faith reports and will work with you to understand and resolve valid issues.

9. Your responsibilities

  • Use a strong password and enable available security features on your email account
  • Sign out on shared devices
  • Do not share account access
  • Report suspicious activity to security@costartups.app