Security at The PM Toolkit
How we protect your data
The PM Toolkit is built with security as a foundational requirement, not an afterthought. Here's how we protect your product data, account, and privacy.
Authentication & access control
All user accounts are protected through Supabase Auth with support for email/password and Google OAuth sign-in. Every API request is authenticated using JWT tokens, and user identity is extracted from the token — never from request parameters. Row-level security (RLS) is enforced on every database table, isolating your project data, artifacts, and conversations at the database level.
Data encryption
All data in transit is encrypted using TLS/HTTPS, enforced by both Cloudflare and HTTP Strict Transport Security (HSTS) headers. Data at rest is encrypted through Supabase's underlying infrastructure using AES-256 encryption.
AI & prompt security
Your product data is used to personalize AI-generated artifacts. User-provided content is structurally separated from AI system instructions. All AI-generated HTML output is sanitized using DOMPurify with a strict allowlist before rendering. AI generation endpoints enforce per-user rate limiting. We use Anthropic's Claude API, which does not use your data to train models.
Application security
- Content Security Policy (CSP) restricts which scripts, connections, and resources can load
- Input validation on all API endpoints using Zod schema validation
- CORS protection locked to our domain
- File upload validation checks both extension and MIME type
- Error monitoring through Sentry for rapid issue detection (with automatic redaction of sensitive fields)
- X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers enforced
- AI output monitoring detects prompt injection and anomalous responses
Secrets & infrastructure
All API keys, tokens, and secrets are stored server-side in encrypted environment variables. No secrets are present in client-side code. Infrastructure runs on Railway (backend) with Supabase (database and auth).
Payments & billing
All payment processing is handled by Stripe. We never store, process, or have access to your full credit card number. Payment data flows directly to Stripe's PCI DSS Level 1 certified infrastructure. Stripe webhooks are verified using cryptographic signatures before processing.
Analytics & tracking
We use PostHog for product analytics to understand how features are used and improve the experience. Analytics data is used in aggregate and does not include the content of your projects or AI-generated artifacts. You can manage cookie preferences through our consent banner.
Responsible disclosure
If you discover a security vulnerability, please contact us at [email protected].
Last updated: March 2026