Security Policy

SquareLog stores sensitive family court evidence. You're trusting us with information that matters in your legal proceedings. Here is exactly how we protect it.

1. Encryption At Rest

All data stored in SquareLog is encrypted at rest using AES-256.

• Database (Supabase / PostgreSQL): storage-layer encryption provided by Supabase (running on AWS us-east-1). Supabase is SOC 2 Type II certified. The underlying infrastructure uses AWS KMS for key management.
• Application-level encryption: sensitive SitRep fields receive an additional layer of encryption at the application layer before they are written to the database. This means that even direct database access (including by Supabase infrastructure staff) cannot read your entry content in plaintext.
• Uploaded files (Cloudflare R2): documents and media are stored with server-side encryption. Private ACLs prevent direct public access; files are only accessible via short-lived presigned URLs generated by the API after authentication.

2. Encryption In Transit

All communication between your browser and SquareLog's servers uses TLS 1.2 or higher. We enforce HTTPS everywhere — HTTP requests are redirected to HTTPS before reaching any application logic. TLS certificates are issued by a trusted certificate authority and renewed before expiry.

Internal service-to-service communication within our infrastructure (API ↔ database, API ↔ AI service) uses private networking that does not traverse the public internet.

3. Access Controls and Tenant Isolation

SquareLog uses a multi-layer tenant isolation model:

• Row-Level Security (RLS): Supabase PostgreSQL RLS policies enforce at the database level that every SELECT, INSERT, UPDATE, and DELETE operation is scoped to the authenticated user's ID. Bypassing the application layer does not bypass access control.
• Application-level checks: every API endpoint independently verifies that the requesting user owns the resource being accessed, regardless of RLS. Defense in depth.
• JWT authentication: all authenticated API calls require a valid, non-expired JSON Web Token signed with a secret key known only to the API. Tokens are short-lived (15 minutes); refresh tokens are stored in HttpOnly cookies and rotate on each use.
• Internal services: the AI inference service and web scraper are not accessible from the internet. They communicate with the API via a private Docker network, authenticated with a shared secret.

4. Audit Logging

We log the following events for security monitoring:

• Authentication events: logins, logouts, failed login attempts, token refreshes.
• Data access events: reads and writes to SitRep entries and documents.
• Export events: any data export or bulk download.
• Administrative actions: any changes to account settings or permissions.

Security logs are retained for 90 days and are accessible only to SquareLog administrators. They are not shared with third parties except as required by law.

5. Who Can Access Your Data

SquareLog is currently a small operation. The following people may have access to production systems:

• Steven Ackley (operator): has administrative access to the production database and infrastructure for maintenance and debugging. Access is authenticated via SSH key and logged.
• Supabase infrastructure team: as the database provider, Supabase has access to underlying storage infrastructure. Supabase's policies prohibit access to customer data except in response to a valid legal request or with explicit customer authorization.

We do not use contractors or third-party personnel with access to your personal data. Administrative access to production is limited to the minimum necessary.

6. Account Security

You can help protect your account:

• Use a strong, unique password (SquareLog requires a minimum of 8 characters with mixed case, numbers, and special characters).
• Do not share your login credentials with anyone, including your attorney. If your attorney needs to review your SquareLog record, export the relevant entries and share the export — do not share your account.
• Log out when using a shared or public computer.
• Contact us immediately at [email protected] if you suspect unauthorized access to your account.

7. Responsible Disclosure

If you discover a security vulnerability in SquareLog, please report it to us privately before disclosing it publicly. We appreciate the work of security researchers and commit to:

• Acknowledging your report within 48 hours.
• Providing a substantive response within 7 days.
• Keeping you informed as we investigate and remediate.
• Not pursuing legal action against researchers acting in good faith.
• Crediting you publicly (if you wish) when the vulnerability is disclosed.

Please allow us up to 90 days to remediate before public disclosure. Reports that include proof-of-concept code or reproduction steps are most useful.

Report vulnerabilities to: [email protected] (PGP key available on request).

8. Incident Response

In the event of a security incident that affects your data:

• We will notify affected users by email as soon as practicable and no later than 72 hours after we become aware of the incident (consistent with breach notification requirements).
• Notification will include: what happened, what data was affected, what we are doing, and what you can do to protect yourself.
• We will post a public incident report on this page within 30 days of completing our investigation.

9. What We Don't Promise

10. Contact

Security vulnerabilities: [email protected]
Privacy questions: [email protected]
General inquiries: [email protected]