Security
Security is built into the AuraQuill architecture across authentication, storage, and background processing. This page summarises the controls in place and how to report potential vulnerabilities.
Last updated: March 8, 2026
Authentication & access control
- Authentication is handled through Supabase Auth with JWT validation on every protected backend route.
- Access to user-scoped resources is validated per request - no shared state between users.
- Unauthorised requests are rejected, logged, and monitored for abuse patterns.
Data & storage protections
- Audio and file storage uses scoped paths tied to individual user accounts.
- Sensitive service credentials are managed through server-side environment configuration - never in client-side code.
- Transport security is enforced through HTTPS in all production deployments.
Operational security
- Background transcription and AI jobs run in isolated Celery worker processes.
- Caching and realtime event channels are segmented by user context.
- Structured logging is used for observability and incident diagnosis without exposing sensitive content.
User security best practices
- Use a strong Google account with 2-factor authentication enabled.
- Sign out on shared or public devices.
- Report suspicious activity to security@auraquill.app immediately.
Responsible disclosure
If you discover a vulnerability in AuraQuill, please report it to security@auraquill.app with reproduction steps and impact details.
Please avoid public disclosure until we have had a reasonable opportunity to investigate and patch. If your report involves account data exposure, mark it as urgent in the subject line.
security@auraquill.app