hyperlists
Start free

Legal

Security at Hyperlists

Last updated: 3 May 2026

Your tasks are personal. We treat them that way. This page explains how Hyperlists Labs LLC keeps your data safe, what controls we have in place, and how to report a vulnerability.

1. Encryption

  • In transit — all traffic is served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS; HSTS is enabled on our production domains.
  • At rest — the underlying Postgres database (operated by Supabase on AWS) encrypts all data at rest using AES-256. Storage volumes are encrypted with provider-managed keys.

2. Authentication

  • Email + password sign-in, with Argon2-style password hashing handled by Supabase Auth. We never store plaintext passwords.
  • Single sign-on via Google OAuth 2.0.
  • Sessions are managed via httpOnly, Secure, SameSite=Lax cookies and short-lived JWTs that are silently refreshed.

3. Access control

  • Row-level security (RLS) is enabled on every table that holds user data. Each query is constrained server-side by auth.uid() = user_id, so a user can never read or write another user’s rows even if a bug bypasses application logic.
  • The service role key (which bypasses RLS) is only used by trusted server-side code paths — namely the Stripe webhook handler — and is never exposed to browsers.
  • Internal access to production data is least-privilege and gated by SSO + 2FA.

4. Payments

Card payments are processed by Stripe, a Level 1 PCI-DSS compliant provider. Hyperlists never sees or stores your full card number or CVC; we only retain the last four digits and the brand of the card for billing display.

5. Infrastructure

  • The application is hosted on Vercel, with edge delivery and automatic TLS.
  • Database, authentication and storage are provided by Supabase, which runs on AWS infrastructure.
  • Daily encrypted database backups are retained for 7 days; we run point-in-time recovery for production.
  • All sub-processors are bound by data-processing agreements that include Standard Contractual Clauses for international transfers.

6. Application security

  • Strict TypeScript and an ESLint security ruleset on every commit.
  • Server-side validation with Zod schemas for every mutation; user input is never trusted.
  • Stripe webhook payloads are verified using the signing secret before any state is changed.
  • Defence-in-depth headers (Content-Security-Policy via framework defaults, X-Content-Type-Options, Referrer-Policy, etc.).

7. Privacy & data deletion

You can permanently delete your account from Settings → Danger zone → Delete account. All personal data is erased within 30 days, retained only where required by law (e.g. tax records). See our Privacy Policy for the full retention schedule.

8. Reporting a vulnerability

If you believe you’ve found a security issue, please email contact@hyperlists.app with the subject line SECURITY. We commit to:

  • acknowledging your report within 2 business days;
  • providing a triage and remediation plan within 10 business days for confirmed issues;
  • not pursuing legal action against good-faith researchers who follow responsible-disclosure practices and stay within the scope of testing their own account’s data.

9. Compliance roadmap

We are committed to GDPR and UK GDPR alignment. SOC 2 Type II readiness and a public sub-processor list are on our security roadmap. Contact us if you have an enterprise compliance requirement.

10. Contact

Hyperlists Labs LLC
Email: contact@hyperlists.app