Passwordless Login
No passwords to steal, guess, or forget. Sign in via secure email link or one-time code.
How we protect your production data
Document Version 1.6 | March 2026We assume any single security control can fail. That's why Piper implements multiple overlapping security layers, ensuring that a breach of one layer does not compromise your data.
HTTPS everywhere, security headers, WAF protection
Passwordless login, encrypted sessions, secure tokens
Role-based access, project permissions, API validation
Row-level security, encrypted at rest, parameterized queries
Audit logging, anomaly detection, incident response
All permissions validated server-side
Users only access what they need
When in doubt, deny access
Data protected in transit and at rest
No passwords to steal, guess, or forget. Sign in via secure email link or one-time code.
Short-lived access tokens with automatic refresh. Sessions validated on every request.
Sign in with Google using industry-standard protocols for secure third-party authentication.
Unauthenticated users automatically redirected. Direct URL access blocked without valid session.
Piper uses role-based access control (RBAC) to ensure users only see and modify what they're permitted to.
| Role | View | Edit | Admin |
|---|---|---|---|
| Client | Assigned Projects | Read Only | - |
| Producer | Assigned Projects | Full Edit | - |
| Company Admin | All Company Projects | Full Edit | Company Users |
Users explicitly assigned to projects. No accidental data exposure across accounts.
Database enforces permissions at the row level. Even if application logic fails, data stays protected.
All write operations validate permissions before execution. Defense-in-depth ensures multiple layers catch unauthorized access.
Legal entity data (companies owning projects) protected with dedicated RLS policies. Users only see entities linked to their accessible projects.
All data transmitted over TLS 1.2+ (HTTPS). No unencrypted connections accepted.
Database encrypted with AES-256. Backups encrypted. Managed by SOC 2 compliant infrastructure.
Documents and signed NDAs stored in isolated, access-controlled cloud storage buckets.
Managed by SOC 2 compliant infrastructure. Daily automated backups on roadmap for Q1 2026.
APIs only accept requests from whitelisted origins. No wildcard (*) access in production.
Token-based authentication plus X-Requested-With header validation blocks cross-site request forgery.
API endpoints protected against abuse with automatic throttling. Prevents brute force attacks and controls costs.
All database queries use parameterized statements. No raw SQL concatenation.
Content Security Policy headers, input sanitization, and output encoding prevent script injection.
HSTS, X-Content-Type-Options, X-Frame-Options, and CSP headers enabled on all responses.
| Component | Provider | Compliance |
|---|---|---|
| Database & Auth | Supabase | SOC 2 Type II |
| Web Hosting | SiteGround | ISO 27001 |
| CDN & DDoS | Cloudflare | SOC 2 Type II |
| Error Monitoring | Sentry | SOC 2 Type II |
Data processing agreements requested with Supabase and Sentry (in progress). Error monitoring receives pseudonymized operational metadata (user IDs and roles) but no personal data such as names or email addresses. Data export and deletion requests handled manually - contact security@siteline.pro.
PCI DSS not applicable - we do not store credit card or payment information.
Our security architecture, protocols, and this document are reviewed and updated weekly to ensure we stay ahead of emerging threats.
Regular review of dependencies, configurations, and access patterns for potential vulnerabilities.
Security measures updated based on latest best practices and threat intelligence.
This security overview kept current with all implemented protections and roadmap items.
Comprehensive audit trail capturing authentication events, permission changes, data access, and admin actions for investigation and compliance.
We have a defined incident response process to handle security events:
Confirm the incident and isolate affected systems to prevent further impact.
Remove the threat, restore systems from clean backups, and verify integrity.
Affected users notified within 72 hours. Full post-incident report and remediation.
Report security concerns: security@siteline.pro