Trust & Security

Security at SupaWeb

SupaWeb is built as a Revenue Intelligence platform with a strict separation of responsibilities: the Desktop Agent executes scans locally, while the Web Dashboard visualizes results. We prioritize secure authentication, least-privilege access, and controlled data handling.

Authentication
Supabase Auth

Session-based access, token validation, and secure identity handling.

Payments
Polar Subscriptions

Billing handled externally; plan entitlements synced via webhooks.

Hosting
Vercel Infrastructure

Secure deployment pipeline with environment variable isolation.

Security Principles

Our security model is designed around practical enterprise expectations: strong identity controls, limited data retention, and clear operational boundaries.

  • Least Privilege by Default
    Access is scoped to authenticated users and validated entitlements.
  • Separation of Responsibilities
    Desktop executes scans; the web dashboard visualizes results.
  • Controlled Data Handling
    Structured intelligence is uploaded — not a full raw site mirror.
  • Secure-by-Design Integrations
    Billing events are validated through Polar webhook signatures before updating entitlements.

High-Level Data Flow

This is how SupaWeb processes scans from Desktop to Web in a controlled, predictable pipeline.

1) User Authentication
User signs in via Supabase Auth. Desktop receives a short-lived access token for API requests.
2) Plan Entitlement Verification
Server reads subscription status from Supabase (synced by Polar webhook). Desktop treats plan as read-only.
3) Local Scan Execution
Desktop crawls, runs factors, models revenue impact locally. Plan caps enforce crawl and factor ceilings.
4) Intelligence Packaging
Desktop compiles a structured results package (findings, scores, evidence pointers) for upload.
5) Secure Upload + Web Visualization
Package is uploaded over HTTPS to Vercel API endpoints. Dashboard renders reports and exports.

Note: SupaWeb intentionally limits what the desktop app displays. The desktop is an execution agent — all reporting, dashboards, exports, comparisons, and sharing happen on the web.

Encryption & Transport

All web requests and uploads use HTTPS/TLS. Secrets are stored as environment variables on the server and never shipped in client code.

Access Control

API endpoints validate Supabase-issued access tokens. Plan enforcement is applied server-side for entitlement truth.

Plan Enforcement

Crawl pages and factor counts are capped per plan. Desktop UI does not allow plan selection or overrides.

Responsible Disclosure

If you believe you’ve found a security issue, please report it privately. We investigate credible reports and prioritize fixes based on impact.

Report a Security IssueView Privacy Policy

Please avoid sharing sensitive details publicly. Include steps to reproduce, affected URLs, and expected vs actual behavior.

Compliance & Roadmap

SupaWeb aims to meet enterprise security expectations. Where applicable, we publish improvements as the platform evolves.

Current
  • • Token-based authentication & authorization
  • • Webhook signature validation for billing events
  • • Server-side environment variable isolation
  • • Controlled reporting boundary (Desktop vs Web)
Roadmap (Planned)
  • • Security status page
  • • Formalized incident response playbook
  • • SOC 2 readiness track (if/when required)
  • • DPA + subprocessor listing publication

Roadmap items are targets and may change based on customer requirements.

Need help? Contact support@supaweblabs.com.