OurFamilyLineage← Back to home

Security

Last updated: April 15, 2026

We take the security of your family data seriously. This page describes the technical and organizational measures we employ to protect your information.

Infrastructure

  • Hosting: Supabase (built on AWS), with data stored in the us-east-1 region
  • Encryption in transit: All connections use TLS 1.2+ (HTTPS everywhere)
  • Encryption at rest: Database storage uses AES-256 encryption. Sensitive configuration fields use AES-256-GCM application-level encryption
  • Backups: Automated daily database backups with point-in-time recovery

Authentication & Access Control

  • Password hashing: bcrypt with per-user salts (72-byte max input)
  • Two-factor authentication: TOTP-based 2FA available for all accounts
  • Session management: Secure, HTTP-only session cookies with automatic expiry
  • Rate limiting: Redis-backed rate limiting on authentication and API endpoints
  • OAuth: Google sign-in via PKCE flow (no client secrets in the browser)

Application Security

  • Row Level Security (RLS): Every database table has RLS policies ensuring users can only access their own data
  • Input validation: Zod schemas validate all user input on both client and server
  • CORS: Strict origin-based CORS policy on the API
  • Security headers: Helmet.js enforces CSP, X-Frame-Options, HSTS, and other security headers
  • Dependency scanning: Automated vulnerability scanning of dependencies

Data Isolation

  • Each family tree is isolated by owner and collaborator permissions
  • File uploads are scoped to authenticated users with path-based access control
  • API service-role keys are never exposed to the browser
  • Admin endpoints require both authentication and admin role verification

Incident Response

In the event of a security incident affecting your data, we will:

  • Notify affected users within 72 hours
  • Report to relevant supervisory authorities as required by GDPR
  • Provide a detailed post-incident report
  • Implement remediation measures to prevent recurrence

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to contact@ourfamilylineage.com. We appreciate your help in keeping OurFamilyLineage secure and will acknowledge your contribution.

Questions

For security questions or concerns: contact@ourfamilylineage.com