We take the security of your data seriously. Here's how we protect your information.
All data encrypted in transit via TLS 1.3 and at rest using AES-256-GCM with per-organization encryption keys.
No passwords to steal. Sign in via OAuth (Google, Microsoft), Magic Link, or Passkey (WebAuthn/FIDO2).
Multi-level RBAC with organization, project, and content-level roles enforced across every API endpoint.
Built on SOC 2 Type II certified infrastructure including Convex, Cloudflare, and Vercel.
All communication with Project Feed is encrypted using TLS 1.3. HSTS (HTTP Strict Transport Security) is enforced with preload to prevent downgrade attacks. All internal service-to-service communication also uses encrypted connections.
Media files and attachments are encrypted at rest using AES-256-GCM with per-organization encryption keys. Each organization has its own encryption key, which is wrapped with a master key using AES-256-GCM key wrapping. Key rotation is supported with backward compatibility for previously encrypted data.
Sensitive fields such as SSO client secrets are additionally encrypted using application-level AES-256-GCM with PBKDF2-SHA256 key derivation (100,000 iterations). API keys are stored as one-way SHA-256 hashes and can never be retrieved after creation.
Project Feed uses passwordless authentication exclusively, eliminating the most common attack vector in web applications. Supported authentication methods:
Sessions are managed securely with automatic expiration and the ability to view and revoke individual sessions remotely. Session anomaly detection monitors for suspicious changes in IP address or device fingerprint. Users can terminate all other sessions from their security settings.
Project Feed implements role-based access control (RBAC) at multiple levels, enforced across every API endpoint:
Project Feed is built on modern, SOC 2 Type II certified infrastructure:
Comprehensive rate limiting protects against brute force and abuse across all endpoints, including authentication (5 attempts per 15 minutes), file uploads, API calls, and integration webhooks. Limits are enforced per-IP, per-key, and per-organization as appropriate.
We continuously monitor our systems for security threats and anomalies. Audit logs track important actions including authentication events, data access, configuration changes, and security events. Audit log entries are chained using SHA-256 hashes for tamper detection, ensuring the integrity of the audit trail. Tiered retention policies (hot, warm, cold) allow organizations to meet their compliance requirements.
For teams with security and compliance needs, Pro Plus includes:
We conduct regular internal security assessments of our application and infrastructure. Our most recent assessment covered over 97 backend files across 14 distinct security domains including authentication, authorization, data isolation, encryption, input validation, and more. Findings are triaged and remediated on a continuous basis.
We welcome responsible security research. If you discover a vulnerability in Project Feed, please report it to us so we can address it promptly.
The following are in scope for security research:
The following are out of scope:
Please include a detailed description of the vulnerability, steps to reproduce, and the potential impact. We appreciate your help in keeping Project Feed secure.
security@projectfeed.appProject Feed is built on SOC 2 Type II certified infrastructure, including Convex, Cloudflare, and Vercel. Our security practices align with the following industry standards:
If you have questions about our security practices, please contact us at security@projectfeed.app.
