Risky Terms

Legal

Security Statement

Last updated: June 24, 2026

This page is maintained by Risky Terms to answer common security questions. It describes controls we have enabled today; it is not a third-party certification.

Encryption in transit & at rest

TLS 1.2+ for all traffic. Database and object storage encrypted at rest by our cloud providers.

Authentication

Email + password with secure hashing. Session tokens stored in browser storage scoped to your origin.

Row-level security

Every customer table enforces row-level security so users can only read or write their own data.

Least-privilege secrets

API keys for third-party services are server-only and scoped per environment (sandbox vs. live).

Audit logging

Authentication events, billing changes, and admin actions are logged for review and incident response.

Monitoring & alerting

Runtime errors, failed payments, and abnormal API usage are monitored and alerted on.

Hosting & platform

  • The web application runs on Cloudflare’s edge runtime with DDoS protection and global CDN.
  • Authentication, database (PostgreSQL), and object storage are managed by Supabase in U.S. regions.
  • Payments are processed by Stripe. We never see or store full card numbers; checkout is rendered via Stripe’s PCI-compliant components.

Access controls

  • Customer data is isolated per user via Postgres row-level security policies.
  • Admin access to production systems is limited to a small set of personnel and requires unique credentials and MFA.
  • Internal admin pages are gated behind role checks stored in a dedicated user_roles table (never on user records, to prevent privilege escalation).
  • API keys are hashed at rest and verified with constant-time comparison.

Data handling

  • Scans crawl only publicly accessible pages on URLs you submit, respect a small per-domain page cap, and identify themselves with a custom user agent.
  • Scan results, AI rewrites, and your account data are stored in your tenant and not used to train third-party models.
  • Aggregated/de-identified data may power our paid data products as described in our Privacy Policy.

Backups & continuity

  • Database is continuously backed up by our managed provider with point-in-time recovery.
  • Edge deployment runs from immutable builds; rollbacks complete in minutes.

Vulnerability management

  • Dependencies are continuously scanned for known vulnerabilities; high-severity patches are prioritized.
  • We perform input validation server-side, use parameterized queries, and avoid rendering untrusted HTML.

Responsible disclosure

If you believe you have found a security vulnerability, please email security@riskyterms.lovable.app with details and reproduction steps. We ask that you give us reasonable time to investigate and remediate before public disclosure, and that you do not access or modify data that is not yours. We will acknowledge receipt within 3 business days.

Compliance

Risky Terms is not currently independently certified against SOC 2, ISO 27001, HIPAA, PCI-DSS, or GDPR audit standards. We rely on the compliance posture of our underlying infrastructure providers (Cloudflare, Supabase, Stripe) and implement the controls described above. We will publish updates here as our compliance program matures.

Contact

Security questions or vendor reviews: security@riskyterms.lovable.app.