Encryption in transit & at rest
All connections to Supraforge use TLS 1.2+. Stored credentials (CMS tokens, OAuth refresh tokens, API keys) are encrypted at rest in our managed database. Site content snapshots are stored encrypted.
This page describes the security controls and data-handling practices in production at Supraforge today. It is maintained by our team and updated as our posture changes. It is not an independent certification or audit report.
All connections to Supraforge use TLS 1.2+. Stored credentials (CMS tokens, OAuth refresh tokens, API keys) are encrypted at rest in our managed database. Site content snapshots are stored encrypted.
Every customer-facing table enforces row-level security (RLS) policies. Your data is queryable only by your authenticated session — never by other tenants, never by anonymous traffic.
WordPress, Shopify, GitHub and Webflow tokens are stored per-site, scoped to the minimum permissions needed to apply optimizations, and revocable at any time from your console.
Every repair stores the previous value before pushing the fix. Click Undo on any repair row — Supraforge restores the original title, meta, schema, or alt text and republishes.
Our managed database runs continuous, point-in-time backups with daily snapshots retained for at least 7 days. We test restores regularly.
Every scan, repair, publish, and rollback writes to a tamper-evident log keyed to your user ID and site ID. Available to you in the repair history panel.
Supraforge does not sell, rent, or share your data. Aggregated, anonymized telemetry may be used to improve the model. Full details in our Privacy policy.
Supraforge runs on enterprise-grade managed infrastructure (Cloudflare edge compute and a SOC 2-attested managed Postgres provider). Payments are processed by Stripe and never touch our servers.
Supraforge secures the platform — the application, the database, and the credentials you trust us with. You're responsible for keeping your account credentials safe, choosing strong passwords, enabling 2FA on connected services (Google, WordPress, Shopify), and reviewing the changes Supraforge proposes before they go live on regulated sites.
Found something? Email security@supraforge.one. We respond within one business day and do not pursue legal action against good-faith researchers.