WabiroWabiroStart an audit

Trust

Security at Wabiro.

A short, honest description of the controls that protect the data you upload. Every claim here is verifiable in our codebase or migrations — we deliberately don’t name controls we don’t actually run.

Last reviewed · May 16, 2026

Architecture

Wabiro runs on Vercel (application, serverless compute, edge network) with Supabase for Postgres, authentication, and object storage. Stripe handles payments. All traffic to the application is TLS 1.2+; we set HSTS on the apex domain.

Tenant isolation

Every table is scoped to an organization. Tenant isolation is enforced by Postgres Row-Level Security policies on every read and write — a query running with one customer’s session cannot return another customer’s rows, and there is no “customer ID” column the application is allowed to override at the API layer. The few server-side routes that need to bypass RLS (Stripe webhooks, account provisioning, account deletion) use a separate service-role credential that is never exposed to the browser.

The same isolation applies to uploaded files: each customer’s objects live under a path prefix keyed on their organization ID, and the storage RLS policy denies access to any path that doesn’t match the caller’s current org.

Encryption

Data at rest is encrypted using AES-256 by our database and storage providers. Encrypted snapshots are retained for 30 days for disaster recovery. Data in transit is TLS 1.2+ end-to-end.

Authentication

Authentication is handled by Supabase Auth. Passwords are hashed with bcrypt; sessions are HTTP-only cookies refreshed by middleware. We rate-limit authentication attempts to mitigate credential stuffing.

Single sign-on (SAML / OIDC) is on the roadmap for the Growth tier and above — contact sales@wabiro.com if it’s a requirement for your evaluation.

Application controls

  • All API routes verify the caller’s session and organization membership before reading or writing.
  • CSV exports defuse spreadsheet formula injection (=, +, −, @, tab, CR are prefix-quoted).
  • Uploads are capped at 5 MB, allow-listed to CSV mime types, and stored under a sanitized filename that cannot escape the customer’s prefix.
  • Stripe webhooks are verified by signature with a per-environment secret.
  • Rate limits are applied to analyze, signup provisioning, and account deletion endpoints to limit blast radius from a compromised session.
  • Open-redirect mitigations are applied to all post-login "next" parameters.

Audit logging

We maintain an append-only audit log of uploads, analyses, exports, report views, finding status changes, and account deletion. Customers can view their organization’s log at /settings/organization. Logs are retained for 24 months.

Operational practices

  • Server-side errors are reported to Sentry. Customer CSV row contents are never included in error payloads.
  • Database migrations are reviewed before merge; production deploys go through CI before reaching the live environment.
  • Secrets are stored in Vercel and Supabase environment vaults; the live Stripe secret key is gated by an explicit STRIPE_MODE=live opt-in so it cannot reach a preview deploy by accident.
  • We use least-privilege credentials for subprocessors and rotate them on a regular cadence.

What we don’t claim

Wabiro is not currently SOC 2, ISO 27001, or HIPAA certified. We will be transparent about the date we achieve each of these. If your procurement process requires a current certification, we’re happy to discuss the scope and timeline at security@wabiro.com.

Responsible disclosure

If you believe you’ve found a vulnerability, email security@wabiro.com with a description and reproduction steps. We commit to:

  • Acknowledge receipt within 2 business days.
  • Provide a triage update within 5 business days.
  • Not pursue legal action against good-faith researchers who follow this policy: avoid privacy violations, data destruction, or service disruption; only test accounts you control; and give us a reasonable window to remediate before public disclosure.

Incident response

In the event of a confirmed incident materially affecting your data, we will notify affected customers without undue delay and in no event later than 72 hours after confirmation, by email to the address on file and to the security contact we have for your organization.

Contact

Security: security@wabiro.com. Privacy: privacy@wabiro.com. Procurement / DPA / DPIA support: sales@wabiro.com.

See also the Privacy Policy and Terms of Service.