Security
Last updated: 8 July 2026
Security is central to a tool that handles your ledger and places calls on your behalf. This page describes the measures currently built into AutoDebtor. It complements our Privacy Policy and GDPR notice.
1. Tenant isolation
All application data is scoped to your organisation. Every table enforces database-level Row Level Security (RLS), and application queries are constrained by your organisation identifier, so one customer's data is not accessible to another. Privileged server-side operations use a separate service credential and run only in our backend, never in the browser.
2. Authentication
- Accounts are authenticated with email and password through Supabase Auth; passwords are stored as salted hashes and are never accessible to us in plaintext.
- Email ownership is verified with a six-digit code before a trial is activated.
- Password reset and email-verification codes are stored only as keyed HMAC hashes, are single-use, expire after a short window, and are rate-limited by a maximum number of attempts. The password-reset flow is designed not to reveal whether a given email address has an account.
3. Encryption in transit and at rest
Traffic to the application and between our services and our providers is encrypted with TLS/HTTPS. Data at rest is stored on our managed database and hosting providers (Supabase and Cloudflare), which provide encryption at rest as part of their platforms.
4. Infrastructure
The application runs on Cloudflare's edge platform, with the low-latency streaming call component running in an isolated Cloudflare Worker. Data is stored in a managed Supabase (PostgreSQL) database. Secrets and API keys are held as encrypted configuration on the hosting platforms and are not committed to source control or exposed to the browser.
5. Payments
Payments are handled by Stripe. Card details are entered directly with Stripe and are neither transmitted through nor stored by AutoDebtor. Incoming billing webhooks are verified against Stripe's signature before they are processed.
6. Administrative and internal endpoints
Operational and administrative endpoints are protected by a separate admin token and are not accessible with ordinary user credentials. Automated jobs (such as call scheduling) run server-side with scoped credentials.
7. Least data by design
- We store text transcripts and structured outcomes of calls rather than maintaining a general archive of recorded call audio.
- We use Plausible Analytics, a privacy-focused, cookieless analytics service. It collects aggregate usage data only and does not use cookies or track individuals across sites.
- Sensitive tokens (verification/reset codes) are stored hashed, not in plaintext.
8. Reporting a vulnerability
If you believe you have found a security vulnerability, please contact us at [email protected] with details so we can investigate. Please act in good faith, avoid accessing or modifying other users' data, and give us a reasonable opportunity to respond before any public disclosure.