Security
Last verified July 16, 2026.
This page describes what is actually deployed, verified directly against our database and code — not a compliance-marketing page. We do not hold a SOC 2 report, ISO 27001 certification, or any other third-party security certification, and we do not claim to. If a claim isn’t backed by something we can point to below, it isn’t on this page.
Database access control — Row Level Security
Every table in our production database (43 of 43, verified live via Postgres system catalogs) has Row Level Security (RLS) enabled. 32 of those 43 tables have zero RLS policies defined, which in Postgres means default-deny: no row is readable or writable through the public API using an anonymous or authenticated end-user key, even if that key were leaked — only our backend, using a service-role key that never reaches the browser, can read or write those tables. The remaining tables carry narrowly scoped policies for specific self-service cases (for example, a signed-in user reading their own verification history), never a blanket allow.
Rate limiting
Abuse and free-tier limits (signup attempts, free citation checks, free-tool usage) are enforced with durable, database-backed counters — not in-memory counters that reset on redeploy or can be bypassed by hitting a different serverless instance. Where a rate-limit check itself fails due to an infrastructure error, it fails open (allows the request) rather than taking the product down over a transient database hiccup — a deliberate availability-over-strictness tradeoff for low-severity limits, documented in code where it applies.
Payments
All payment processing runs through Stripe. We never see or store full card numbers — Stripe handles card data directly and we receive only limited billing metadata (plan, status, last four digits, billing country) back via webhook. Stripe’s own PCI DSS Level 1 certification and security practices are documented on Stripe’s security page — that is Stripe’s claim about Stripe, not ours.
Hosting and infrastructure
The application is hosted on Vercel (application layer, TLS termination, edge network) and Supabase (Postgres database, encrypted at rest per Supabase’s documented infrastructure). Both providers publish their own security and compliance documentation at the links above — those are their documented guarantees about their own infrastructure, not claims we are independently making or auditing on their behalf.
What this page does not claim
- No SOC 2, ISO 27001, HIPAA, or other third-party certification held by Digital Empire LLC / Citation Safe.
- No claim of a formal penetration test or bug bounty program.
- No claim of end-to-end encryption of document content — see /privacy for how document content is actually handled (hash-only by default).
Related pages
Privacy policy · Subprocessor list · Data Processing Addendum (template) · Methodology
Found a security issue? Email security@citationsafe.com (or support@citationsafe.com if that doesn’t reach us) — we will respond and do not currently offer a paid bounty.
Digital Empire LLC · 30 N Gould St Ste N, Sheridan, WY 82801.