Security posture
A plain statement of how the platform is built and run today. This is a public-beta posture described honestly — not an enterprise compliance claim.
Reader accounts use Supabase Auth (email-based). The editorial desk is a separate, explicitly-granted role: every admin action re-verifies the session and editor membership server-side, and all privileged writes go through the service role on the server — no privileged key ever reaches a browser. Public database access is read-only, enforced by row-level security. Machine publication is bounded by a server-enforced policy that pipeline code can narrow but never widen.
The public record (scores, claims, revisions, forecasts, source ledger) is append-only by design and retained indefinitely — that permanence is the product. Personal data is minimal (see /privacy): account email, handle, watchlists, forecast history. Accounts can be deleted on request; forecast history is anonymized rather than erased, because scored public predictions are part of the accuracy record.
Every editorial and administrative action writes an audit row (actor, action, subject, timestamp). Database backups run on the managed platform's schedule (daily, with point-in-time recovery). Pipeline runs are logged per execution in CI, so any published artifact can be traced to the run that produced it.
Public widgets under /embed are intentionally served with permissive framing (frame-ancestors *): they are designed to be embedded anywhere, contain only public data, and carry no session state. Future private or premium embeds will use scoped origins and signed access — the open posture applies to the public layer only.
Email christopher@vucanews.com with subject SECURITY. You'll get an acknowledgment, a fix or a timeline, and credit if you want it. Good-faith research against your own account's scope is welcome; please don't degrade the service for others. The same address is the incident-response contact.
Before any paid tier: formal privacy review, dependency audit cadence, key-rotation runbook, and scoped/signed embeds. Enterprise asks (SSO, audit export, private workspaces) come after the public trust layer has earned it.