Security
Security is a product feature, not a checkbox
Starscoo is built on encryption-first, least-privilege foundations. Here's how we protect your keys, your prompts, and your data.
Encryption everywhere
All traffic uses TLS 1.2+. Provider keys at rest are sealed with AES-256-GCM using a pepper held outside the database. Prompt bodies in 30-day retention windows are also encrypted.
Row-level security
Every Supabase table is protected by Postgres row-level security. Users can only read their own keys, requests, and usage. Admins are scoped by role checks on every query.
Single-tenant boundaries
Customer data is separated by user_id at the database level. Cross-tenant reads are physically impossible from the application layer.
Bot & abuse protection
Cloudflare Turnstile gates sign-up and sign-in. Per-IP and per-account rate limits run on Upstash Redis. Anomalous traffic auto-throttles and triggers alerts.
Audit logs
Every privileged action — key creation, provider rotation, user suspension — is recorded in an append-only audit table accessible only to super-admins.
Strong session hygiene
Sessions use Supabase's rotating refresh tokens with PKCE. Password recovery and email verification use single-use, time-bound links.
Secure defaults
HSTS, strict CSP, X-Frame-Options DENY, Referrer-Policy, and Permissions-Policy are set on every response. Cookies are httpOnly, secure, sameSite=lax.
Responsible disclosure
Report vulnerabilities to security@starscoo.space. We acknowledge within 24 hours and ship fixes for confirmed critical issues within 7 days.
Security contact
security@starscoo.space · PGP key available on request.