Maintained by the Supraforge team

Trust & security.

This page describes the security controls and data-handling practices in production at Supraforge today. It is maintained by our team and updated as our posture changes. It is not an independent certification or audit report.

Encryption in transit & at rest

All connections to Supraforge use TLS 1.2+. Stored credentials (CMS tokens, OAuth refresh tokens, API keys) are encrypted at rest in our managed database. Site content snapshots are stored encrypted.

Row-level security on every table

Every customer-facing table enforces row-level security (RLS) policies. Your data is queryable only by your authenticated session — never by other tenants, never by anonymous traffic.

Scoped CMS credentials

WordPress, Shopify, GitHub and Webflow tokens are stored per-site, scoped to the minimum permissions needed to apply optimizations, and revocable at any time from your console.

One-click rollback on every change

Every repair stores the previous value before pushing the fix. Click Undo on any repair row — Supraforge restores the original title, meta, schema, or alt text and republishes.

Daily backups

Our managed database runs continuous, point-in-time backups with daily snapshots retained for at least 7 days. We test restores regularly.

Audit log of every action

Every scan, repair, publish, and rollback writes to a tamper-evident log keyed to your user ID and site ID. Available to you in the repair history panel.

We don't sell your data

Supraforge does not sell, rent, or share your data. Aggregated, anonymized telemetry may be used to improve the model. Full details in our Privacy policy.

Trusted infrastructure

Supraforge runs on enterprise-grade managed infrastructure (Cloudflare edge compute and a SOC 2-attested managed Postgres provider). Payments are processed by Stripe and never touch our servers.

Shared responsibility

Supraforge secures the platform — the application, the database, and the credentials you trust us with. You're responsible for keeping your account credentials safe, choosing strong passwords, enabling 2FA on connected services (Google, WordPress, Shopify), and reviewing the changes Supraforge proposes before they go live on regulated sites.

Report a security issue

Found something? Email security@supraforge.one. We respond within one business day and do not pursue legal action against good-faith researchers.