LetsCollab

LetsCollab.bio

Security

Effective date: May 12, 2026 ยท Last updated: May 12, 2026

We treat the security of your data as a core product property. This page summarizes the controls in place today and how to reach us with security concerns. It is a general description, not a contractual commitment; if your organization needs contractual security terms, contact us for a Data Processing Agreement.

1. Infrastructure

  • Application runtime hosted on Railway (United States).
  • Managed PostgreSQL, authentication, and file storage provided by Supabase (United States).
  • Outbound transactional email via Resend; error and performance telemetry via Sentry. See Subprocessors for the full list.
  • Production and staging are isolated from each other and from local development.

2. Network And Transport

  • All traffic between browsers and our backend uses TLS 1.2 or higher.
  • HTTP Strict Transport Security (HSTS), secure cookies, and SameSite controls protect session integrity.
  • CORS is restricted to known LetsCollab origins.

3. Authentication And Access Control

  • Passwords are stored only as one-way hashes by our authentication provider; LetsCollab never sees plaintext passwords.
  • JWT-based session tokens with short lifetimes and rotation.
  • Sign-in options include email/password and Google sign-in (OAuth 2.0 with PKCE).
  • Backend authorization is least-privilege: per-endpoint guards confirm scope, role, and resource ownership before any data is read or written.

4. Application Hardening

  • CSRF protection on all state-changing endpoints.
  • Rate limiting on public endpoints and sensitive write paths.
  • Input validation at API boundaries with explicit schema contracts.
  • Output encoding to prevent stored XSS in user-generated content.
  • Idempotency keys on critical request flows so retries do not double-create resources.
  • Defense-in-depth for authentication-required dashboards and SSR-rendered routes.

5. Encryption

  • Data in transit: TLS 1.2+ between clients, between services, and to subprocessors.
  • Data at rest: managed encryption by Supabase Postgres and Storage providers.
  • Application-layer encryption: OAuth refresh tokens (e.g., Google Calendar) are encrypted before persistence using keys that are not co-located with the ciphertext.

6. Logging And Monitoring

  • Application logs are structured, request-correlated, and stripped of known PII fields.
  • Error reporting is scrubbed by configured deny-lists before leaving the cluster.
  • Authentication, authorization, and admin events are retained for fraud and abuse investigations.

7. Vendor Management

All subprocessors operate under written terms that include confidentiality, security, and data-protection obligations. The current list is published at Subprocessors.

8. Incident Response

If we detect an incident likely to compromise personal data, we follow an internal response plan covering containment, investigation, notification, and remediation. Where required by applicable law, we will notify affected users without undue delay and in any case within statutory time limits (for example, 72 hours where GDPR applies).

9. Responsible Disclosure

If you believe you have found a security vulnerability, please email feedback@getletscollab.com with the subject "Security Disclosure". Include reproduction steps and an impact assessment, and give us a reasonable window to investigate and remediate before disclosing publicly. We do not pursue legal action against good-faith researchers who:

  • Avoid accessing other users' data beyond what is necessary to demonstrate the issue.
  • Do not exploit the vulnerability for personal gain or to disrupt the Service.
  • Give us a reasonable time to fix the issue before disclosing it.
  • Comply with applicable law.

10. Compliance Posture

LetsCollab is built to align with the principles of the GDPR, UK-GDPR, CCPA/CPRA, and Google's API Services User Data Policy (including Limited Use for restricted Google scopes). We do not currently hold SOC 2 or ISO certifications; we will update this page when third-party certifications are obtained.

11. Contact

Security questions or DPA requests: feedback@getletscollab.com.