Trust
Security
OverlayRiskWitness produces evidence that people rely on under legal pressure. The same discipline applies to how we handle your data. This page describes the controls that are live in production today.
Database with row-level security
Your account, runs, and evidence packets live in a dedicated Supabase Postgres project. Row-level security policies are enforced at the database layer, so a request can only read or write rows that belong to the authenticated account — not because the app remembered to filter, but because the database refuses otherwise.
Authentication via Supabase Auth
Sign-in is handled by Supabase Auth with Google OAuth and email. We never see or store your Google password. Sessions are managed with secure, httpOnly cookies on the server side.
Payments handled by Stripe
All checkout and billing run through Stripe Checkout and the Stripe customer portal. Card numbers are entered on Stripe-hosted surfaces and never touch our servers — we store only a Stripe customer reference, never your card data.
Server-only secrets
API keys, the Stripe secret key, the Claude API key, and database credentials are stored as server-side environment variables in Vercel. They are never bundled into client JavaScript and never exposed to the browser.
Encryption in transit
Every connection to OverlayRiskWitness is served over HTTPS/TLS. Traffic between your browser, our application, the database, and the hosted browser engine is encrypted in transit.
CSP and security headers
Production responses ship a Content-Security-Policy plus a standard hardening header set (HSTS, X-Content-Type-Options, Referrer-Policy, and frame protections) to reduce the blast radius of injection and clickjacking attempts.
Rate-limited public endpoint
The free, no-signup witness endpoint is rate-limited per IP with a global kill-switch and a same-URL cache. This protects the engine from abuse and keeps the hosted browser capacity available for real runs.
Signed Stripe webhooks
Billing events arrive through a Stripe webhook whose signature is verified on every request before we act on it. An unsigned or tampered event is rejected, so subscription and payment state can only change from genuine Stripe events.
What we do and don't keep
- What we store
- Your account identity, the URLs you submit, the axe-core findings and rule-by-rule diffs from each run, timestamps, and hashes/links for the exhibit snapshots. This is the evidence record that makes a Risk Packet reproducible later.
- What we don't store
- We do not store your card data (Stripe holds that), and we do not retain full crawled page content or personal data about your site visitors beyond what is needed to produce the findings you requested.
- Where scanning runs
- The witness engine runs on Browserbase, a hosted headless-browser provider. A browser session loads your page with the overlay on, then off, runs axe-core on each render, and is torn down after the run.
- Where AI is used
- Claim extraction — reading your public accessibility statement and quoting it back — uses the Claude API and runs only for paid Risk Packets. The free witness is a deterministic axe-core finding state with no AI step.
Responsible disclosure
Found something? We want to hear about it. Report suspected vulnerabilities to security@overlayrisk.com. Our machine-readable policy is published at /.well-known/security.txt. Please give us a reasonable window to remediate before public disclosure, and do not run tests that degrade service for other users.
Security is ongoing work, not a finished checklist. If your organization needs a specific control documented for procurement or a security review, email security@overlayrisk.com.