Encryption
| Layer | Implementation |
|---|---|
| At rest | Postgres data is encrypted at rest by Supabase. |
| In transit | TLS 1.2+ on every public endpoint. |
| BYOK exchange keys | AES-256-GCM with a per-account derived key. The server stores ciphertext only. |
| Webhook signing | HMAC-SHA256, header X-SF-Signature: sha256=<hex>. |
Secrets handling
- API keys — stored as Argon2 hashes. The plain secret is shown exactly once on creation, never re-listed by any endpoint.
- Exchange keys (BYOK) — ciphertext only. Decryption happens only inside the active cloud tick process and is erased from memory immediately after the tick.
- Webhook secrets — generated server-side per endpoint. The dashboard surfaces a one-time view; afterwards the API only returns
signatureScheme: "hmac-sha256"andhasSigningSecret: true, never the secret itself.
Audit trail
Async workflows attach trace ids so support and audit tooling can correlate a user action, monitor cycle, alert delivery, or portfolio tick across downstream work. See Provenance.Webhook receiver SSRF protection
Permissions model
Each account has one or more API keys; an active key has the same access as the user that issued it. For scope-limited keys (read-only, MCP-tool allow-list, service-account isolation), emailpatrick@simplefunctions.dev.
Vulnerability disclosure
Found a security issue? Emailpatrick@simplefunctions.dev with reproduction steps. We acknowledge reports as soon as we can and work the fix from there. Please do not disclose publicly until a fix has shipped.
Incident response
Live incidents are posted athttps://simplefunctions.dev/status with timeline and scope. Past incidents stay on the page for reference.
See also
Authentication
Auth flavors and BYOK encryption.
Compliance
Regulatory posture.
Provenance
Trace ids and audit correlation.