Security Policy

Security program

noburn implements technical and organizational measures aligned with SOC 2 trust principles. We are not yet SOC 2 Type II certified.

Technical controls

Our application implements:

• Authentication via Clerk with organization-scoped access
• Row-level security on Supabase for tenant isolation
• SHA-256 hashing for SDK keys; webhook secrets hashed at rest
• HMAC verification for inbound Stripe and outbound webhooks
• Rate limiting, security headers (CSP, HSTS), and structured audit logging
• HTTPS everywhere; secrets stored in environment variables only

Reporting vulnerabilities

Report security issues to security@noburn.dev. We aim to acknowledge reports within 2 business days.

Please do not publicly disclose vulnerabilities before we have had a reasonable time to remediate.