COI Tracker

Security

Last updated: April 2026

COI Tracker stores sensitive vendor insurance data. This page documents how we protect it. Plain English — no marketing filler.

Authentication

  • Magic-link only. No passwords to phish, leak, or reuse. Sign-in links expire in one hour and are single-use.
  • Sessions are stored in HTTP-only, SameSite cookies scoped to coitracker.co.
  • The session cookie is never exposed to client-side JavaScript, so even a successful XSS injection cannot steal it.

Data isolation

  • Every row in the database is scoped to an owning user. The Postgres Row-Level Security policy enforces this at the database layer — not just in application code.
  • File uploads live in a private Supabase Storage bucket. Downloads use signed URLs valid for 60 seconds; nobody can browse the bucket.
  • The service-role key — which can bypass RLS — is used only by the daily cron and the Stripe webhook. It never touches user-serving routes.

Transport and storage encryption

  • TLS 1.2+ everywhere, enforced by HSTS with max-age=63072000; preload.
  • Data at rest is encrypted by our infrastructure providers (Supabase on AWS RDS, Vercel on AWS).

Browser hardening

  • Strict Content-Security-Policy blocks cross-site script injection.
  • X-Frame-Options: DENY — the app cannot be iframed for clickjacking.
  • Referrer-Policy: strict-origin-when-cross-origin.
  • Permissions-Policy disables camera, microphone, geolocation.

Payments

We never see or store your card. All payment information is handled by Stripe, which is PCI DSS Level 1 certified. COI Tracker stores only the Stripe customer ID and subscription status returned by signed webhook events.

Email

  • Reminder and vendor-request emails are sent through Resend on a domain with SPF, DKIM, and DMARC records aligned.
  • Every reminder email carries an idempotency header to dedupe retries at the ESP layer.
  • Replies to vendor-request emails go to your address, not ours — we are a conduit, not a party.

Secrets and keys

  • All secrets live in the hosting provider’s encrypted env store.
  • No secret is committed to source control.
  • Database credentials and service-role keys are rotated on any suspected exposure and at least annually.

Monitoring

  • Uptime and cron heartbeat are monitored externally.
  • Server errors and anomalous Stripe webhook failures are captured and alerted on in real time.
  • Access logs from the hosting and database providers are retained for 30 days.

Vulnerability reporting

Please email security@coitracker.co with details. We will acknowledge within two business days and keep you informed until the issue is resolved. We do not currently run a paid bounty program, but we credit reporters in a public hall of fame if they prefer recognition over anonymity.

Incident response

In the event of a confirmed data breach affecting your data, we will notify you by email within 72 hours of confirmation with scope and mitigation steps. You can reach us any time at security@coitracker.co.

Data deletion

Delete your account from the dashboard any time. We purge your data within 30 days, except where we’re required to retain limited billing records for tax and accounting purposes.