Security Practices

Security at Spoolio is built on three principles: defense in depth, principle of least privilege, and secure by default. Every customer-facing surface and every internal system passes through threat modelling and security review before shipping.

• Application hosting. Vercel for web application; Railway for background workers; Supabase for the operational database; Cloudflare R2 for object storage; Upstash Redis for cache and rate limiting; Sentry for monitoring.
• Network. TLS 1.2+ on every public endpoint; HSTS enforced; Cloudflare front-of-house for DDoS protection and bot mitigation.
• Edge. Static assets served from CDN with integrity hashes where applicable.

• Encryption in transit. All traffic to and from Spoolio is encrypted with TLS 1.2 or higher. We aim for TLS 1.3 everywhere our edge supports it.
• Encryption at rest. Supabase data is encrypted at rest by the provider. Cloudflare R2 uses SSE-S3 (AES-256) server-side encryption. Biometric assets (voice samples + face references) inherit SSE-S3 by default.
• OAuth tokens for connected platforms (TikTok, YouTube, Instagram, Meta, Pinterest, LinkedIn, X) are encrypted at rest with AES-256-GCM using keys managed in environment-scoped secret stores. Tokens are never written to logs.
• Row-level security (RLS). Every customer table in our database has RLS policies enforcing auth.uid() = user_id or equivalent ownership checks. Service-role access is restricted to a small number of internal systems and never used in client-facing code paths.
• Backups. Daily backups of the operational database with point-in-time recovery; 30-day retention. R2 object retention with versioning enabled for critical buckets.

• Engineering access requires single sign-on with mandatory two-factor authentication.
• Production access is least-privilege, time-limited, and audited.
• Application-level admin actions are logged with actor + reason.
• Customer support cannot access raw biometric samples; support tooling operates on metadata only.

• Input validation on every API route with Zod schemas. Body size limits enforced.
• Output encoding to prevent XSS; CSP applied at the response headers level.
• CSRF protection on state-changing endpoints.
• Rate limiting on all public endpoints via Upstash Redis; per-user, per-IP, and per-endpoint budgets.
• Signed webhooks (Stripe + connected platforms) verified before processing.
• Server-side tier enforcement is the authoritative gate; client-side plan locks exist only for UX.
• Dependency monitoring and Renovate-style updates for security patches; transitive dependency advisories checked at PR time.

• Prompt injection mitigations. User-supplied text is contained within structured prompts with role separation; downstream consumers parse model outputs as JSON via a single balanced parser, not via free-form regex.
• Content moderation gates at the prompt stage, the visual stage, and the published-output stage.
• Celebrity voice-match screening on every voice sample uploaded for cloning.
• Biometric pass-through controls. Reference uploads to fal.ai use X-Fal-Store-IO: 0 by default, preventing payload persistence.
• Sub-processors contracted not to train on customer data. See Privacy → Processors.

• 24/7 paging for security alerts and high-severity incidents.
• Documented incident-response runbook covering triage, contain, eradicate, recover, and post-mortem.
• Breach notification within 72 hours to affected users and the relevant supervisory authority where required by GDPR Art. 33–34 or US state breach law.
• Reach us at security@spoolio.ai.

Pre-launch, Spoolio implements security controls consistent with SOC 2 Type I principles and is preparing for a formal SOC 2 Type II audit in our first 12 months of operation. Privacy compliance posture is described in our Privacy Policy and our Data Processing Addendum.

We welcome security researchers. If you believe you've found a security issue, please email security@spoolio.ai with:

• A description of the issue + impact;
• Step-by-step reproduction;
• The version, URL, or environment affected;
• Your name + how you'd like to be credited.

Safe harbor

Spoolio will not pursue legal action against good-faith researchers who: comply with this policy; avoid privacy violations, data destruction, or service disruption; do not access more data than necessary to prove the vulnerability; and give us reasonable time to remediate before public disclosure (typically 90 days).

Out of scope

• Issues in third-party services (Stripe, Cloudflare, Supabase, etc.) — report to them directly.
• Social engineering of Spoolio employees.
• Physical attacks against infrastructure.
• Volumetric DDoS.