This page is an early draft and should be reviewed before public launch.

Security Policy

Draft security posture and reporting guidance.

Legal index

Defense in depth

Obrasken should use layered controls: private route gates, server-side DAL checks, API guards, rate limits, RLS assumptions, and audit logging for sensitive actions.

Reporting

Security concerns should be reported privately so they can be investigated without exposing user data or secrets.

Current status

This is a product placeholder for launch planning. It describes intended controls and user-facing expectations, not final legal advice.

Private by default

Obrasken private workspace data should remain private unless the user intentionally chooses a secure sharing or export workflow.

Security boundary

Provider keys, service-role credentials, payment data, and other secrets must remain server-side and must not be exposed in browser code or logs.