1. How we think about security
Your ideas, your writing, your AI keys — these are sensitive. We treat them that way. This page documents how.
We're a small team but we don't treat “small” as an excuse for weak practices. We use best-in-class tools, we stay current on threats, and we publish this page so you can audit our approach before trusting us with your data.
2. Encryption
In transit: TLS 1.3 for all connections between your browser, our servers, and our databases. HSTS enforced. Certificate pinning for our API.
At rest: Database encryption via Supabase (AES-256). File storage encrypted in DO Spaces. Database backups encrypted.
API keys: BYOK keys are encrypted server-side with libsodium (XSalsa20-Poly1305) before hitting the database. The encryption master key is stored separately in env vars, rotated quarterly. Keys are decrypted in memory only, never logged, and zeroed after use.
3. Data isolation
We use Supabase Row Level Security (RLS) to enforce user-level data isolation at the database level. Even if there were a bug in our application code, one user could not read another user's data — the database itself would reject the query.
MongoDB collections use strict user-scoped queries. All application-layer queries require a user context. We have automated tests that verify isolation is maintained on every deploy.
4. Access controls
Only two people at distro have production database access. Access requires hardware-key 2FA and is logged. Access is revoked within 24 hours if someone leaves the company.
Customer support tools allow viewing account metadata but not content (your ideas, drafts, writing samples). Support agents can't read your content unless you explicitly share it via a support ticket.
5. Monitoring and incident response
We monitor for anomalies, failed authentication attempts, suspicious API patterns, and infrastructure failures. We use Sentry for application errors, PostHog for behavioral anomalies, and DigitalOcean's monitoring for infrastructure.
If we detect a security incident affecting your account or data, we'll notify you within 72 hours (EU requirement: GDPR Article 33; we apply this globally).
6. Bug bounty
We run a public bug bounty. If you find a vulnerability, email [email protected] with a description and repro steps. We aim to respond within 24 hours.
Payouts based on severity:
- Critical (authentication bypass, RCE, data exfiltration): $2,000 – $10,000
- High (privilege escalation, significant data leak): $500 – $2,000
- Medium (limited info disclosure, CSRF on sensitive actions): $100 – $500
- Low (low-impact misconfigurations): $50 – $100
We operate on safe harbor principles: good-faith research is always welcome, never pursued legally. See our full Responsible Disclosure policy for details.
7. Compliance
GDPR: We're fully GDPR compliant. Data subjects in the EU have full rights under Articles 15-22. See our DPA for details.
CCPA: California residents have full CCPA rights. We don't sell personal data so the “Do Not Sell” toggle is always active by default.
SOC 2: We're not SOC 2 certified yet — we're too small to justify the audit cost. When we raise or cross 1,000 paying customers, we'll pursue certification. Until then, we follow SOC 2 controls as guidance even without formal audit.
HIPAA / PCI: We are not HIPAA or PCI compliant. Do not use distro to process PHI or payment card data. Payment processing happens entirely within Stripe, which is PCI-DSS certified.
8. Infrastructure security
Hosting: DigitalOcean App Platform (isolated containers). Supabase Cloud (EU region). MongoDB Atlas M10 (EU region).
Network: All services are private. Public-facing endpoints are rate-limited and fronted by CloudFlare with WAF rules.
Backups: Database backups daily, retained 35 days. Tested quarterly via restore drills.
Dependencies: Automated scanning via Dependabot + Snyk. Critical CVEs patched within 24 hours, high within 7 days.
9. Contact
Security questions or concerns? Email [email protected]. We encrypt sensitive reports with PGP — request the public key in your initial email.