my.proposal Back to home

Security at My Proposal

Your contracts and your clients' data deserve the strongest defaults available. Here's exactly how we protect them.

Infrastructure

Hosted on Supabase + Vercel

My Proposal runs on Supabase (PostgreSQL with Row-Level Security) hosted on AWS, and Vercel Edge Network for the application layer. Both providers maintain SOC 2 Type II certifications and undergo regular third-party security audits. Data is stored in US-East by default; EU data residency is available on the Agency plan.

Encryption

AES-256 at rest, TLS 1.2+ in transit

All data at rest, including proposal content, uploaded media, and personal information, is encrypted using AES-256 managed by our infrastructure providers. All data in transit is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject plaintext HTTP connections.

Access control

Row-Level Security (RLS)

Every database query is scoped to the authenticated user via Supabase's Row-Level Security policies. This means it is enforced at the database layer, not just the application layer, so even a misconfigured API route cannot return another user's data. Proposals marked as sent/viewed/signed are readable by anyone with the link (by design); draft proposals are strictly private.

Authentication

Passwords hashed with bcrypt; OAuth 2.0 via Google

Passwords are hashed using bcrypt with a work factor of 12 before storage. We never store or log plaintext passwords. We support Google OAuth 2.0 as a password-free sign-in option. Session tokens are stored in short-lived JWTs with automatic rotation.

Payments

PCI-compliant payment processing

Payment processing is handled by Green Invoice / Morning API. My Proposal never receives, stores, or transmits full card numbers. We store only card brand and the last four digits for display purposes. Payment form submission goes directly to the payment processor.

E-signature

Legally binding signatures with audit trail

Signatures collected via My Proposal are compliant with the US ESIGN Act, UETA, and EU eIDAS Regulation. Each signed proposal includes a tamper-evident audit trail containing: signer name, signer email, IP address, timestamp (UTC), and a hash of the signed document.

File uploads

Uploaded media isolated per user

Images and videos uploaded to proposals are stored in Supabase Storage in a path namespace scoped to the uploading user's ID ({userId}/...). Storage policies enforce that users can only modify their own files. The bucket is publicly readable by URL for clients viewing proposals, which is expected and by design.

Responsible disclosure

If you discover a security vulnerability in My Proposal, please report it responsibly before public disclosure. We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.

security@myproposal.app →