Security

1. Overview

Gythr is built on infrastructure providers that maintain industry-standard security certifications. This page documents the specific security measures in place across the platform.

2. Infrastructure Security

Gythr is hosted on Vercel, which is SOC 2 Type 2 compliant. All application traffic is served over HTTPS with TLS encryption enforced at the edge by Vercel.

The database layer is provided by Supabase (PostgreSQL), which is SOC 2 Type 2 compliant. Supabase encrypts all data at rest using AES-256 and encrypts all data in transit using TLS.

All secrets, API keys, and credentials are stored as environment variables in Vercel. No secrets are committed to source code.

3. Data Protection

All database tables use Supabase Row Level Security (RLS) policies. RLS enforces access control at the database level, ensuring that users can only query and modify data they are authorized to access. These policies are evaluated on every database request regardless of how the request originates.

  • Encryption at rest: All stored data is encrypted with AES-256 via Supabase.
  • Encryption in transit: All connections between clients, the application server, and the database use TLS.
  • Access control: Role-based permissions determine which users can view and manage event data. Organization owners and editors have different permission levels enforced by RLS policies.

4. Authentication & Access

Authentication is handled by Supabase Auth. Passwords are hashed using bcrypt before storage. Plaintext passwords are never stored.

Authenticated sessions use JSON Web Tokens (JWTs) issued by Supabase Auth. Tokens are validated on every request to protected routes. Session middleware verifies authentication state before granting access to the platform.

5. Payment Security

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment industry security certification.

Gythr does not store, process, or have access to credit card numbers or payment card data. Card information is entered directly on Stripe's hosted checkout page and never passes through Gythr servers. Payment confirmations are received via authenticated Stripe webhooks with signature verification.

6. Email Security

Transactional emails are sent via Resend using TLS encryption for email delivery.

The gythr.com domain is configured with the following email authentication standards:

  • SPF (Sender Policy Framework) — specifies which mail servers are authorized to send email on behalf of gythr.com.
  • DKIM (DomainKeys Identified Mail) — cryptographically signs outgoing emails to verify they have not been altered in transit.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) — instructs receiving mail servers on how to handle emails that fail SPF or DKIM checks.

7. Data Privacy

For information about how Gythr collects, uses, and protects personal data, see the Privacy Policy.

8. Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly by emailing security@gythr.com. Include a description of the vulnerability, steps to reproduce it, and any relevant details. We will acknowledge receipt within 48 hours and provide updates on remediation progress.

Do not publicly disclose a vulnerability before it has been addressed.

9. Compliance

Gythr's infrastructure providers maintain the following certifications:

  • SOC 2 Type 2 — Vercel (hosting) and Supabase (database and authentication).
  • PCI DSS Level 1 — Stripe (payment processing).

For information about California Consumer Privacy Act (CCPA) compliance, see the Privacy Policy.

10. Contact

For security-related inquiries, contact security@gythr.com.

For general privacy questions, contact privacy@gythr.com.