How we protect your data and contracts.
Powered by Supabase Auth with row-level security (RLS). Passwords are hashed with bcrypt. OAuth via Google. Session tokens are short-lived JWTs with automatic refresh.
Every user can only access their own data. Supabase Row Level Security policies enforce this at the database level — not just the application layer.
All data in transit is encrypted via TLS 1.3. Data at rest is encrypted by Supabase (AES-256). Stripe tokenizes all payment data — we never store card numbers.
Every generated contract is hashed with SHA-256 at creation time. The hash is stored publicly and can be used to verify the document hasn't been altered.
Users from OFAC-sanctioned regions are blocked at the middleware layer before any data processing. Determined by Vercel's IP geolocation headers.
All payments processed by Stripe in test mode. No card data touches our servers. Stripe webhook signatures are verified on every event.
Service role keys are server-side only. All API routes validate authentication. Webhook endpoints verify Stripe signatures. Rate limiting at the Vercel edge.
All export events, generation events, and acceptance records are logged to the events table with timestamps, user IDs, and metadata.
If you discover a security vulnerability in LicenseComposer, please report it responsibly:
We appreciate responsible disclosure and will credit researchers in our changelog.