Security

We take the security of your data seriously. Here's how we protect your information.

Encryption

All data encrypted in transit via TLS 1.3 and at rest using AES-256-GCM with per-organization encryption keys.

Secure Auth

Sign in via OAuth (Google, Microsoft), magic link, or passkey (WebAuthn/FIDO2).

Access Controls

Multi-level RBAC with organization, project, and content-level roles enforced across every API endpoint.

Secure Infrastructure

Built on SOC 2 Type II certified infrastructure including Convex, Cloudflare, and Vercel.

Data Protection

Encryption in Transit

All communication with Project Feed is encrypted using TLS 1.3. HSTS (HTTP Strict Transport Security) is enforced with preload to prevent downgrade attacks. All internal service-to-service communication also uses encrypted connections.

Encryption at Rest

Files and attachments are encrypted at rest using AES-256-GCM with per-organization encryption keys. Each organization has its own encryption key, which is wrapped with a master key using AES-256-GCM key wrapping. Key rotation is supported with backward compatibility for previously encrypted data.

Sensitive fields such as SSO client secrets are additionally encrypted using application-level AES-256-GCM with PBKDF2-SHA256 key derivation (100,000 iterations). API keys are stored as one-way SHA-256 hashes and can never be retrieved after creation.

Authentication

Project Feed supports secure sign-in methods that avoid app-owned passwords. Supported authentication methods:

  • OAuth 2.0: Google and Microsoft with automatic account linking for matching email addresses
  • Magic Link: Secure email-based authentication with 5-minute link expiry, delivered through Project Feed's transactional email service
  • Passkey (WebAuthn/FIDO2): Hardware security key and biometric authentication support
  • Multi-Factor Authentication: Time-based one-time passwords (TOTP) with backup codes, managed by WorkOS AuthKit

Session Management

Sessions are managed by WorkOS AuthKit with automatic expiration. You can view your active sessions and revoke individual ones, or sign out everywhere from your security settings.

Access Controls

Project Feed implements role-based access control (RBAC) at multiple levels, enforced across every API endpoint:

  • Organization level: Owner, Admin, and Member roles with configurable permissions
  • Project level: Admin, Editor, and Viewer roles for granular content access
  • Content level: Visibility controls for posts, share link permissions with optional password protection and expiration

Infrastructure Security

Hosting

Project Feed is built on modern, SOC 2 Type II certified infrastructure:

  • Database: Convex — real-time database with built-in security, automatic backups, and tenant isolation
  • File Storage: Cloudflare R2 — server-side encryption with customer-provided keys (SSE-C), time-limited presigned URLs, and proxy-based access for encrypted files to avoid exposing keys in URLs
  • Application: Vercel — automatic HTTPS, DDoS protection, and edge network distribution

Rate Limiting

Comprehensive rate limiting protects against brute force and abuse across all endpoints, including authentication (5 attempts per 15 minutes), file uploads, API calls, and integration webhooks. Limits are enforced per-IP, per-key, and per-organization as appropriate.

Monitoring & Audit Logging

We continuously monitor our systems for security threats and anomalies. Audit logs track important actions including authentication events, data access, configuration changes, and security events. Audit log entries are chained using SHA-256 hashes for tamper detection, ensuring the integrity of the audit trail. Tiered retention policies (hot, warm, cold) allow organizations to meet their compliance requirements.

Pro Plus Security Features

For teams with security and compliance needs, Pro Plus includes:

  • Single Sign-On (SSO): OIDC integration with Okta, Azure AD, Google Workspace, and custom OIDC providers. Secured with PKCE (Proof Key for Code Exchange) and full JWT signature verification (RS256, ES256, and related algorithms)
  • SCIM 2.0 Provisioning: Automated user and group provisioning from your identity provider (RFC 7643/7644)
  • Managed MFA: Multi-factor authentication (TOTP and passkeys) managed by WorkOS AuthKit
  • IP Allowlisting: Restrict organization access to specific IP addresses or CIDR ranges
  • Data Loss Prevention: Pattern-based content scanning for sensitive data (credit cards, SSNs, API keys) with configurable block, redact, or alert actions
  • Legal Holds: Preserve data for compliance and eDiscovery requirements with user, project, or organization-level holds and point-in-time content snapshots
  • Managed Session Security: Session lifetime and sign-out are handled by WorkOS AuthKit

Security Assessments

We conduct regular internal security assessments of our application and infrastructure. Our most recent assessment covered over 97 backend files across 14 distinct security domains including authentication, authorization, data isolation, encryption, input validation, and more. Findings are triaged and remediated on a continuous basis.

Vulnerability Disclosure Policy

We welcome responsible security research. If you discover a vulnerability in Project Feed, please report it to us so we can address it promptly.

Scope

The following are in scope for security research:

  • The Project Feed web application (projectfeed.app)
  • The Project Feed REST API
  • Authentication and authorization flows

The following are out of scope:

  • Third-party services (Convex, Cloudflare, Vercel, etc.)
  • Social engineering or phishing attacks
  • Denial-of-service (DoS/DDoS) testing
  • Physical security
  • Automated scanning that degrades service availability

Rules of Engagement

  • Use your own test accounts and organizations
  • Do not access, modify, or delete other users' data
  • Do not degrade service availability for other users
  • Provide sufficient detail to reproduce the issue (steps, impact assessment, screenshots or proof of concept)

Our Commitment

  • We will acknowledge your report within 48 hours
  • We will triage and assess severity within 5 business days
  • We aim to remediate critical issues within 7 days, high-severity issues within 30 days, and medium-severity issues within 90 days
  • We will not pursue legal action against researchers who follow this policy in good faith

Report a vulnerability

Please include a detailed description of the vulnerability, steps to reproduce, and the potential impact. We appreciate your help in keeping Project Feed secure.

security@projectfeed.app

Compliance

Project Feed is built on SOC 2 Type II certified infrastructure, including Convex, Cloudflare, and Vercel. Our security practices align with the following industry standards:

  • OWASP Application Security guidelines
  • GDPR data protection requirements
  • SOC 2 Trust Services Criteria

Questions?

If you have questions about our security practices, please contact us at security@projectfeed.app.