Security

Hosting. blockd runs on Railway and Vercel, both of which operate on enterprise-grade cloud infrastructure with physical access controls, redundant power, and 24/7 monitoring.

Database. All data is stored in Supabase (PostgreSQL), hosted on AWS. Supabase enforces row-level security (RLS) policies so users can only access their own data.

Encryption in transit. All communication between your browser and our servers is encrypted with TLS 1.2+. We enforce HTTPS everywhere and reject plaintext connections.

Encryption at rest. Database volumes are encrypted at rest using AES-256.

Session management. Sessions are managed by Better Auth with cryptographically signed tokens. Sessions expire after inactivity and are invalidated on logout.

OAuth. We support signing in with Google OAuth. We never store your Google password — only a secure OAuth token used to identify you.

No password storage. We do not store plaintext passwords. Passwords (if used) are hashed using bcrypt with a per-user salt.

When you connect third-party services (Gmail, Slack, Notion, etc.), OAuth tokens are stored and managed by Composio, a purpose-built integration security platform. We never see or store your passwords for these services.

You can revoke any connected integration at any time from your Integrations page, which immediately deletes the stored token.

Production database access is restricted to a minimal set of authorized personnel. All access is logged and audited.

Internal tooling requires multi-factor authentication.

API keys and secrets are stored as environment variables — never in source code or version control.

If you discover a security vulnerability in blockd, please report it responsibly to ngokienquoc2005@gmail.com with the subject line "Security Disclosure".

Please include a description of the issue and steps to reproduce it. We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.

We ask that you do not publicly disclose the issue until we have had a chance to address it.