Security & Privacy

Supabase Auth, session checks, API auth wrappers, and operator workspace guards protect app routes.

• - Supabase session refresh
• - Role checks for admin, creator, and affiliate routes
• - Workspace permissions for fleet actions

Supabase RLS and explicit direct-client deny policies protect server-owned tables.

• - Profiles and platform settings hardened
• - Fleet/operator tables deny direct anon/authenticated access
• - Server services keep reward truth

The app has security headers, validation, request guards, and rate-limit helpers where routes opt in.

• - CSP, HSTS, frame, content-type, and referrer headers
• - Zod validation on API input
• - Rate-limit and query guard utilities

Important admin and role actions write audit records, and quality/security gates produce reports.

• - Admin audit-log routes and service
• - Role-switch audit records
• - Security scans and deploy safety checks

Billing uses hosted provider flows; reward settlement proof stays owner-paid and outside platform funding.

• - Razorpay platform billing
• - Stripe creator catalog connection
• - Manual, PayPal, and UPI settlement proof records

Hosted fleet candidate intake uses Authkey-backed OTP before PII submission.

• - OTP send and verify routes
• - Private OTP challenge table
• - Candidate consent and intake service path

Needs versioned external contracts, scoped keys or service accounts, quotas, audit trails, replay rules, and a sandbox story.

Needs Supabase MFA or another central provider path, enrollment/recovery UI, and admin enforcement policy.

Consent, exports, and retention foundations exist, but formal GDPR/DPDP-style readiness needs a data map, request workflow, and evidence.

Relevant for enterprise sales later. It needs policies, control owners, evidence collection, vendor review, and an auditor.

Hosted Stripe/Razorpay flows mean ReferCommander should avoid card data. PCI scope changes only if the app starts handling cardholder data directly.

Logs and deploy gates exist, but automated incident response needs runbooks, alert routing, owners, and tested escalation drills.

If you find a security issue, send it through the contact page with steps to reproduce, affected route, expected impact, and safe evidence. Do not include secrets or unrelated customer data.

Security copy should be refreshed after material auth, RLS, API, payment, compliance, or vendor changes. Claims stay tied to code evidence and operational proof.