Security

Draft · last updated [DATE]

⚠ Draft for review. Confirm every statement below matches your actual deployment before publishing — an overstated security claim is worse than none. This is a public posture summary, not a compliance attestation.

We take the security of your account and your data seriously. This page summarizes our current practices and how to report a vulnerability. The Service is in beta and these practices will continue to evolve.

How we protect your data

Encryption in transit. The Service is served over HTTPS/TLS, so traffic between your browser and our servers is encrypted.
Authentication. Accounts are handled by Supabase Auth. Passwords are stored only as salted hashes — never in plain text — and we never see your raw password.
Access controls. Data is stored in Supabase's managed PostgreSQL with row-level security, so records are readable and writable only according to defined policies rather than being open to any user.
Encryption at rest. Our database provider encrypts stored data at rest.
Least privilege. The public app uses a restricted, publishable key scoped to what the browser needs; privileged operations run server-side and are not exposed to the client.

Reporting a vulnerability

If you believe you've found a security issue, please email hello@hotkey.gg with a description and steps to reproduce. Please give us a reasonable chance to address it before any public disclosure, and don't access, modify, or delete other users' data while testing. We'll acknowledge valid reports and work to resolve them. [Note whether you offer a bug bounty — "no monetary bounty at this time" is fine to state.]

For organizations

If you're evaluating hotkey.gg for cohort or pre-onboarding training and need more detail for a security review, contact hello@hotkey.gg. [As the enterprise offering matures, list what you can provide — e.g., a security questionnaire response, SSO, a data-processing agreement — and don't claim certifications such as SOC 2 until they actually exist.]