Security

Data isolation

Every table enforces row-level security: your data is only ever readable or writable by your own account. Server-side workers that bypass RLS filter by account on every query.

Encryption & secrets

Data is encrypted at rest. Privileged keys (service-role, payment secrets) live only on the server/worker tier and are never shipped to the browser or the companion extension.

The companion extension

The extension authenticates with a short-lived, account-scoped, revocable token — never a full login. It can only read a prepared application and report that you submitted; it can never act beyond those two endpoints, and you can revoke it instantly from settings.

Billing integrity

Payment webhooks are signature-verified before any plan change is applied, so plan state can't be forged.

Responsible disclosure

Found a vulnerability? Email security@applybandit.com. We'll acknowledge promptly and work with you on a fix before disclosure.