Security overview
Security Overview
Pramania is designed around authenticated access, Supabase Row Level Security, private storage buckets, server-side validation, production rate limits, SSRF-safe public-link ingestion, and avoidance of sensitive profile or resume text in telemetry.
Current Controls
User workspace records are scoped by authenticated user id. Admin-only records are protected by database policies. Uploaded files and generated artifacts use private storage paths. Owner/admin tier changes and credit actions are expected to leave audit evidence.
Incident Response
Security incidents are tracked in an admin-only incident log. Notification deadlines are surfaced for operational review when notification may be required, but final notification decisions require qualified review.
To report a security or account-access concern, contact support@pramania.com.
Production Hardening Backlog
Legal review of public policies and request handling: missing.
Final data retention schedule approved by owner and counsel: missing.
DPA and subprocessor review completed: draft.
Hosting and processing regions confirmed: missing.
Cross-border transfer basis documented: missing.
Breach response owner and escalation rota assigned: draft.
Durable distributed rate limiting selected for production: draft.
Admin access review cadence scheduled: draft.
Payment entitlement reconciliation and refund support procedure approved: draft.