How we keep your proof safe.

Transport & storage

• All traffic is HTTPS only — no plaintext fallback.
• Submissions and uploads are stored on Lovable Cloud (Supabase-backed Postgres + object storage), encrypted at rest.
• Database backups are taken daily and retained for 30 days.

Access control

• Row-level security on every user table — builders can only read their own drafts, submissions, and scores.
• Scoped employer access — an employer reviewing a challenge can only see submissions made to their challenge. There is no cross-employer leakage.
• Role-separated dashboards for builders, corporates, universities, governments, and admins. The role check happens on the server, not the client.
• Admin audit log — manual scoring, verification flips, and role changes are recorded with actor + timestamp.

Authentication

• Magic-link auth for builder, corporate, university, and government accounts — no passwords to phish.
• Admin accounts use email + password and are seeded manually — there is no public admin signup.
• Sessions live in a secure browser-managed store and rotate on sign-in.

Secret & dependency management

• All secrets (API keys, service-role keys) are stored in Lovable Cloud's secret store — never in source.
• Dependencies are scanned for known vulnerabilities and patched on a regular cadence.
• Server-only modules are bundle-isolated so service-role credentials cannot leak into the browser.

Reporting a vulnerability

If you find a security issue, please email security@proofaiq.com with a description and steps to reproduce. We acknowledge within 48 hours and aim to resolve high-severity issues within 7 days. We do not run a paid bounty yet, but we'll publicly credit you (with permission).