tooled

Security

Last updated: May 15, 2026

Security is a stack of small disciplines, not one big feature. This page documents what we actually do — not what sounds good in a brochure. If you find a gap, see Vulnerability disclosure below.

Data classification

ClassExampleHow we handle it
PublicTool output marked “share via permalink”Standard web caching, no encryption requirement.
Customer-internalSaved patterns, history, account emailEncrypted at rest and in transit. Access scoped to the owning user.
SensitivePayment metadata, Stripe customer ID, API keysEncrypted at rest. API keys stored as SHA-256 hash only. Logged-access only.
ForbiddenCard numbers, raw passwords, government IDsNever stored. Card data flows directly from your browser to Stripe.

Encryption

  • In transit: TLS 1.3 between client, edge, app, and all subprocessors. HSTS preload on tooled.dev.
  • At rest: Postgres database (Supabase) uses AES-256 disk encryption. Backups encrypted with separate keys.
  • Secrets: stored in Vercel’s encrypted env-var store. Never committed to git. Never logged.
  • API keys: stored as SHA-256 hashes. The plaintext is shown to you once at creation and never persisted.
  • Sessions: Better Auth issues opaque tokens; the token is hashed before lookup. Cookies are HttpOnly, Secure, SameSite=Lax.

Authentication and access control

  • Sign-in via passwordless email magic link (15-min expiry) or OAuth (GitHub, Google — when configured).
  • Sessions valid for 30 days; refreshed on each active day.
  • Rate-limited sign-in attempts (5 per minute per IP).
  • Pro features gated server-side via subscription state lookup — never trusted from the client.
  • API keys scoped per user, per key, with independent revocation and expiry.

Operational security

  • Two-person rule: production database access requires a recorded session.
  • Secret rotation: all platform tokens (Vercel, Supabase, Stripe, Cloudflare) rotated when a maintainer with access leaves, or every 12 months — whichever comes first.
  • Webhook verification: Stripe webhooks verified via signature on every request. Unverified webhooks are dropped, not logged with payload.
  • Idempotency: webhook handlers are idempotent; replay attacks do not double-grant subscriptions.
  • Logging: structured logs to Vercel; PII redacted at the application layer before write. Logs retained 14 days.
  • Dependencies: automated Dependabot / Renovate scanning; security patches applied within 7 days of public disclosure (24 hours for critical CVEs in the request path).

AI inference safety

  • Inputs to the LLM are sent over TLS and not retained by us.
  • Upstream providers (Google AI, Anthropic) contractually do not use API inputs to train models.
  • We do not log AI inputs or outputs — only the event metadata (tool name, model tier, timestamp).
  • Rate limiters cap per-IP and per-user call volume to throttle accidental or malicious leakage.
  • For especially sensitive content, prefer the self-hosted open-source core — see GitHub — and run with your own LLM API key.

Payment data

We never see your card number. Stripe Embedded Checkout collects payment data directly from your browser; we receive only a customer ID and subscription status from Stripe’s webhook. tooled.dev is therefore out of PCI-DSS scope (SAQ A applies to the merchant of record — Stripe).

Infrastructure

  • Hosting: Vercel (USA / global edge).
  • Database: Supabase Postgres, us-east-1.
  • DNS / CDN: Cloudflare.
  • Rate limiting: Upstash Redis.
  • Email: Resend.
  • Backups: daily Postgres snapshots, retained 30 days.
  • Disaster recovery: targeted RTO 4 hours, RPO 24 hours. Tested quarterly.

Vulnerability disclosure

If you find a security issue, please email security@tooled.dev with:

  • A description of the issue and its impact.
  • Steps to reproduce (or a minimal proof-of-concept).
  • Your contact information for follow-up.

We commit to acknowledging your report within 2 business days, providing a remediation timeline within 7 business days, and crediting you publicly (if you wish) once the issue is resolved.

We do not offer cash bug bounties at this time. We do offer:

  • A free 1-year Pro subscription for any reproducible bug rated Medium severity or higher.
  • A free Lifetime subscription for any reproducible High or Critical severity bug.
  • Public credit in our security acknowledgements page (when we ship one).

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption of service.
  • Only interact with their own accounts (or test accounts with permission from the owner).
  • Do not exploit vulnerabilities beyond the minimum necessary to demonstrate them.
  • Give us reasonable time to remediate before public disclosure (90 days, or by mutual agreement).

What we don’t do (yet)

Honesty matters more than completeness:

  • SOC 2 audit: not yet. We’ll pursue it once we have meaningful enterprise demand.
  • Penetration test: not yet. Currently relying on automated scanning + the open-source repo for community review.
  • Bug bounty platform: not yet — direct email instead.
  • Mandatory 2FA: not yet on accounts. Magic-link auth already eliminates the password-reuse attack surface, but we plan to add WebAuthn / passkey support before adding a paid mandatory-2FA tier.

Contact

Security: security@tooled.dev
General: hello@tooled.dev