Peptides Vault

Security

Last updated: 2026-05-12

Peptides Vault is built for people who care about rigor. Here is how the service handles your data at a technical level, in plain language.

Authentication

  • Passwords are hashed by Supabase Auth (Argon2). We never see your plain-text password.
  • Sessions use JWTs signed by Supabase. Tokens expire and refresh on a rolling basis.
  • Email verification is mandatory before chat features unlock.
  • Cloudflare Turnstile (CAPTCHA) protects signup against bot waves.

Tenant isolation

  • Every database table that holds user data has Postgres Row-Level Security (RLS) enabled.
  • All user-facing API calls use the anon key plus your JWT — RLS active. The service-role key is used only in cron jobs and admin scripts, never on routes you can hit.
  • A structural test in the test suite blocks any route from accidentally using the service-role client.
  • Each vault gets its own Gemini File Search store, so retrieval cannot leak chunks across vaults.

Network and transport

  • HTTPS everywhere — Caddy auto-provisions Let's Encrypt certificates. HSTS is on.
  • Cloudflare WAF in front of the API blocks common attack patterns and bot traffic.
  • Per-IP and per-user rate limiting on every public endpoint.

Cost and abuse controls

  • Every user has a daily cost cap enforced server-side ($1 Free, $5 Pro).
  • Organization-wide ScholarFlow cron freezes if global spend exceeds the cap.
  • Server-Side Request Forgery (SSRF) guards block ingestion fetches from internal addresses.
  • All admin actions are recorded in an append-only audit log.

Data exports and deletion

  • Settings → Export downloads everything we hold for you (vaults, sources, chat history) as JSON.
  • Account deletion removes your data within 30 days. Anonymized analytics may be retained.

What's still on the roadmap

  • Independent penetration test (planned post-PMF).
  • SOC 2 Type I (planned when usage justifies it).
  • Self-hosted Pro tier for users who require data-sovereignty (no timeline).

Reporting a vulnerability

Found something? Email [email protected] with a description and reproduction steps. We will acknowledge within 72 hours and will not pursue legal action against good-faith security researchers.