Security at Standsly
Last updated: May 26, 2026
Your work log is sensitive. Standsly is built so your entries stay scoped to your account, integrations are encrypted, and AI features are opt-in with guardrails — not an afterthought.
This page summarizes controls we have implemented. For data collection and retention, see our Privacy Policy.
Security pillars
Your data stays yours
Work logs are scoped to your account at the database layer — not just in application code.
- Row Level Security on every core table; users can only read and write their own rows
- Team analytics use k-anonymity — member-level detail is withheld below team size thresholds
- Managers see aggregates and patterns, not individual entry text
- Cross-tenant isolation verified by automated security probes in CI
- Export your data as CSV; delete your account and associated data from Settings
Strict access control
Every API endpoint is classified and authenticated. Sensitive actions require a fresh sign-in.
- 117 API routes registered with explicit auth models — enforced in CI on every pull request
- Session auth on all user-facing endpoints; team routes require active membership and role checks
- Step-up authentication for billing and third-party integrations (recent sign-in required)
- Scoped browser-extension tokens — 45-minute TTL, log-only scope, origin allowlist
- OAuth connect flows use signed state cookies to prevent CSRF on callbacks
Encryption and secret handling
Integration credentials and sensitive tokens never reach the browser. Payment data stays with our processor.
- OAuth tokens stored with AES-256-GCM envelope encryption; KEK rotation supported
- Integration secret vault has no authenticated read path — server-side decrypt only
- Service-role database access is registry-governed with mandatory audit purpose
- We never store card numbers — Lemon Squeezy is Merchant of Record for billing
- Server-only secrets; publishable keys are the only credentials exposed to the client
Responsible AI use
AI features are opt-in. Prompts are scoped to your data and screened before they leave our servers.
- Summaries are generated only when you explicitly request them
- Data Loss Prevention blocks JWTs, API keys, and private keys from reaching the model
- Per-user rate limits on AI endpoints to prevent abuse and runaway cost
- AI provider can be disabled globally via kill switch without a deploy
- Prompt content is redacted from audit logs — we log pattern labels, not matched secrets
Application hardening
Browser and server protections reduce XSS, clickjacking, cache bleed, and outbound abuse.
- Security headers: HSTS, X-Frame-Options DENY, nosniff, strict Referrer-Policy, Permissions-Policy
- Content Security Policy — report-only by default; staged enforcement with per-request nonces
- Authenticated responses carry Cache-Control: private, no-store to prevent shared-cache leaks
- Safe markdown rendering — no raw HTML injection; javascript: and data: links blocked
- Outbound fetch hardened against SSRF — private IP ranges and metadata endpoints blocked
Operational security
Security is built into how we ship code, respond to incidents, and audit privileged actions.
- Dedicated security CI: secret scanning (Gitleaks), SAST (Semgrep), dependency audit gates
- Static checks for API auth coverage, service-role containment, and security headers
- Immutable audit trail for billing and privileged events — append-only, tamper-evident
- Threat detection for credential stuffing, enumeration, and export scraping patterns
- Incident response, disaster recovery, and secrets-governance runbooks in place
Shared responsibility
Security is a partnership. Standsly operates the platform; you control what you log, who you invite to a team, and which integrations you connect.
| Area | Standsly | You |
|---|---|---|
| Work log content | Encrypt at rest via infrastructure provider; enforce access controls and backups | Choose what to log; avoid pasting secrets or credentials into entries |
| Account credentials | Secure session cookies; support global session revocation | Use a strong password or OAuth provider; revoke sessions on shared devices |
| Third-party integrations | Encrypt OAuth tokens; step-up auth before connect; scoped polling workers | Review connected apps; disconnect integrations you no longer use |
| AI summaries | DLP screening, rate limits, tenant-scoped prompts | Review generated summaries before sharing externally |
| Team visibility | Role-based access; k-anonymity on aggregates; no manager access to entry text | Assign team roles appropriately; invite only trusted members |
Subprocessors
We use a small set of infrastructure and service providers (Supabase, Vercel, Anthropic, Resend, Inngest, Lemon Squeezy). Each is scoped to a specific function. Details are listed in our Privacy Policy.
Report a security issue
If you believe you have found a vulnerability, please email standslyai@gmail.com with subject line “Security report”. Include steps to reproduce and any proof-of-concept. We will acknowledge receipt within two business days and work with you on responsible disclosure.
Please do not publicly disclose issues before we have had a reasonable chance to remediate.
Enterprise requests
Need a DPA, security questionnaire, or detailed whitepaper for procurement? Email standslyai@gmail.com with your company name and timeline. Formal artifacts are available on request; we are not SOC 2 certified today.
Transparency notes
- Security posture is actively verified through wave-based production probes; not every control has completed production sign-off yet.
- Standsly is not SOC 2 or ISO 27001 certified today. Enterprise compliance artifacts (DPA, formal whitepaper) are available on request.
- No system is perfectly secure. Report concerns to our security contact — we treat responsible disclosure seriously.