Security

Hierarch runs on Vercel (frontend) and Supabase (backend, database, auth, storage, edge functions). Both providers maintain SOC 2 Type II compliance. All data is encrypted in transit via TLS 1.2+ and at rest using AES-256.

User authentication is handled by Supabase Auth. We support email/password and Google OAuth. Passwords are hashed with bcrypt. Session tokens are managed by the Supabase client library with automatic refresh and secure storage.

Third-party integration tokens (Linear, Figma, Jira, Slack) are stored server-side in Supabase with row-level security (RLS). Each user can only access their own tokens.

Every database table enforces RLS policies where owner_id = auth.uid() for all operations. Users can only read, create, update, or delete their own data. There are no admin overrides in the application layer.

Server-side operations (account creation, avatar upload, time entries, account deletion) run as Supabase Edge Functions on Deno. Protected endpoints validate the user's access token before processing any request. Invalid or missing tokens return a 401 response.

Each user's data is isolated at the database level. There is no shared data model between users. Deleting an account permanently removes all associated records, files, and integration tokens.

If you discover a security vulnerability, please report it to security@hierarchical.app. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.