Posture overview
- Encryption at rest. All customer data is stored in Supabase Postgres with AES-256 encryption at rest (Supabase managed). Database backups are encrypted with separate keys.
- Encryption in transit. HTTPS-only across every endpoint. HSTS header set with a one-year max-age. Internal service-to-service communication uses authenticated, TLS- encrypted connections.
- Authentication. Supabase Auth with email + password and Google OAuth. Sessions are short-lived (1 hour access tokens, refresh-token rotation). Session cookies are HttpOnly, Secure, SameSite=Lax.
- Authorization. Row-Level Security (RLS) policies at the database layer scope every read and write to the authenticated user's own data. The service role key is server-only and never exposed to the browser.
- Secrets management. All credentials live in Vercel environment variables, scoped per-environment (Production / Preview). The build-time gate
assertVercelEnv()fails any deploy missing a required secret rather than letting silent degradation slip to runtime.
Compliance status
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | Not started | Assessment planned Q3 2026. |
| GDPR | Posture ready | Data subject access + deletion endpoints. Full DPA available on request for Enterprise. |
| CCPA | Posture ready | "Do Not Sell" honored by default — we don't sell user data. |
| Data residency | US-East | Vercel and Supabase regions both in us-east-1. EU residency available on Enterprise request. |
Vulnerability disclosure
If you believe you've found a security issue in StableLens, please email security@stablelens.com with details and a proof-of-concept. We will respond within 48 hours.
We follow a coordinated-disclosure policy: please give us reasonable time to investigate and patch before public disclosure. We do not currently run a paid bug-bounty program, but we will publicly credit researchers who report valid issues (with permission).
Out of scope: denial-of-service attacks, social engineering of our staff or contractors, physical security, third-party services we use (report those upstream).
Subprocessors
Third parties that touch customer data, in order of how much they see:
| Subprocessor | Purpose | Data category | Region |
|---|---|---|---|
| Supabase | Postgres database + auth | Account data, watchlist, alerts, profile | US-East-1 |
| Vercel | Application hosting + edge cache | Request logs (IP, user-agent, path) | US-East-1 |
| Stripe | Subscription billing | Email, billing address, payment method | US |
| Resend | Transactional email delivery | Email address, message content | US |
| CoinGecko | Stablecoin metadata + market data | None — outbound data only | — |
| DeFiLlama | Yield + TVL data | None — outbound data only | — |
| FRED (Federal Reserve) | Macro indicator data | None — outbound data only | — |
| Alchemy | RPC node access (Ethereum + L2s) | None — outbound data only | US |
Customer data flows: account info ↔ Supabase, billing ↔ Stripe, email delivery ↔ Resend. The data-source providers (CoinGecko, DeFiLlama, FRED, Alchemy) receive no customer data; we only pull public market data from them.
Data sources transparency
For details on how StableLens compliance scores, peg deviations, and yield risk metrics are computed — including which data sources feed each dimension — see the methodology page.
Incident response
Our incident response process: triage within 30 minutes of detection, customer notification within 24 hours of confirmation for any incident affecting customer data, post-incident review published within 7 days. The on-call rotation is the engineering team. Critical incidents trigger immediate escalation via PagerDuty (Phase 9).
DPA & BAA
A Data Processing Addendum (DPA) is available on request for any Enterprise customer that processes EU personal data. Business Associate Agreements (BAA) for HIPAA-covered entities are available on Enterprise plans. Contact enterprise@stablelens.com.
Account security best practices
- Use a unique, strong password (12+ characters, mixed case + digits + symbols) — or sign in with Google for hardware-backed authentication.
- Don't share your StableLens login. Team plans provide proper seat-based access.
- Review the email address and IP logged on every alert delivery — if anything looks wrong, email security@stablelens.com.