How we protect member and journalist data. If you're evaluating Show Sources for your organization, this page should answer most of the questions on your security questionnaire.
All connections to Show Sources — web, API, integrations — use modern TLS. HTTP traffic is redirected to HTTPS.
Passwords are hashed with bcrypt at rest. We never store or log plaintext credentials.
The Postgres database enforces row-level security policies. Anonymous users can only read public columns. Email and contact details require authentication.
Internal access to production data is restricted to a small on-call group, behind SSO + MFA, with break-glass procedures and audit logs.
Postgres point-in-time recovery for the last 7 days, plus daily encrypted snapshots retained for 30 days.
Independent third-party security testing every 12 months. Findings are remediated to a documented schedule.
Show Sources runs on Vercel (edge + serverless functions) and Supabase (Postgres + auth + storage). Data is hosted in the EU by default. North-American customers can request US hosting at workspace creation.
Dependencies are scanned daily for known CVEs. We patch high-severity issues within 72 hours of disclosure (or sooner depending on exploitability). Snyk and GitHub Dependabot are part of our CI pipeline.
We maintain a written incident response runbook. In the event of a confirmed data breach affecting personal data, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in line with GDPR Article 33.
See the full list in the privacy policy. All sub-processors are bound by DPAs with appropriate transfer mechanisms.
We welcome responsible disclosure. Email security@showsources.example with reproduction steps. We'll acknowledge within 2 business days and keep you updated through resolution. We don't currently run a paid bug bounty but are happy to credit researchers in our hall of fame.