This page is an early draft and should be reviewed before public launch.Legal index
Security Policy
Draft security posture and reporting guidance.
Defense in depth
Obrasken should use layered controls: private route gates, server-side DAL checks, API guards, rate limits, RLS assumptions, and audit logging for sensitive actions.
Reporting
Security concerns should be reported privately so they can be investigated without exposing user data or secrets.
Current status
This is a product placeholder for launch planning. It describes intended controls and user-facing expectations, not final legal advice.
Private by default
Obrasken private workspace data should remain private unless the user intentionally chooses a secure sharing or export workflow.
Security boundary
Provider keys, service-role credentials, payment data, and other secrets must remain server-side and must not be exposed in browser code or logs.
