Security
Controls that keep your data safe.
Authentication
We use Supabase Auth magic links exclusively—no passwords to leak or reuse. Sessions live in HTTP-only cookies and can be revoked via Settings at any time.
Data Protection
All user-owned tables enforce Row Level Security so only you can see your households and scenarios. Global assumption tables require admin privileges and every change is logged. Databases are encrypted at rest on Supabase and backups follow their managed schedule.
Operational Controls
Stripe hosts checkout and subscription management; we never touch card numbers. Sensitive endpoints such as billing and Monte Carlo simulations are rate limited and monitored. Automated Vitest + Playwright suites cover onboarding, dashboard flows, and admin tooling per the SECURITY_AND_TESTING specification.