Stacktube is built by one person, but we treat security precisely. We don't hold SOC 2 or any external certification. Instead, every security decision lives in code you can verify.
1. What we promise
BYOK and OAuth token encryption
Every API key and OAuth refresh token you provide is stored encrypted with AES-256-GCM. Plaintext exists only transiently in memory — never on disk, never in the database, never in logs.
Supabase Row Level Security enabled
Row Level Security is on for every PostgreSQL table. You can only read and write your own rows; even when another user's data lives in the same table, it is blocked at the SQL layer.
OAuth state CSRF protection
When you connect Google Drive, Dropbox, or any third-party service, we guard the OAuth handshake with a signed state nonce (5-minute TTL). A forged callback is rejected on arrival.
72-hour breach notification
If we become aware of a security incident, we notify affected users by email within 72 hours. The notice includes the scope, what we have done, and what you should do.
Explicit list of data processors
Every external company that touches your data is listed in § 4. When we add a new processor, this page is updated first.
2. What we do not promise (explicitly)
The items below are explicitly out of scope today. We will reconsider each one when paid membership crosses 1,000.
- No SOC 2 Type II, ISO 27001, or GDPR DPO — we hold no external audit certification. An honest limit of a one-person operation.
- No 24/7 security operations center — incidents reported overnight or on weekends may wait until the next business day.
- No external penetration test — to be evaluated after launch, once paid membership reaches 1,000.
- No formal data retention policy — we delete on request, immediately. We do not hold data for a fixed retention window.
3. Data processors
| Company | Purpose | Region |
|---|---|---|
| Supabase | PostgreSQL database, authentication, storage | Frankfurt (EU) |
| Railway | Worker container hosting | US-West |
| Paddle | Payment processing and Merchant of Record | UK |
| Anthropic | Claude API — note summarization and extraction | US |
| Gemini API — visual analysis and Drive sync | US | |
| YouTube | Captions and video metadata | US |
We use no other processors. If we add one, this page is updated before that processor goes live.
4. Reporting a security issue
If you find a security vulnerability, please write directly to studio@unstackd.io
- We reply within one week.
- Verified vulnerabilities are publicly disclosed within 60 days.
- We keep your identity private until you explicitly allow disclosure.
5. Code-verifiable guarantees
The Stacktube repository is not open source. Even so, we guarantee the following.
- One-on-one code review for security-critical modules — for encryption, RLS, and authentication, we will walk through the code together over video or screen share on request.
- Data export and permanent deletion — you may download or permanently delete your OAuth tokens, BYOK keys, and notes at any time. Deletion is propagated immediately through SQL CASCADE.
Last updated: 30 May 2026 · Next review: when paid membership crosses 1,000, or six months from now — whichever comes first