Artha is built by people who have worked on production systems with real customers. We treat your data like our own. This page documents what we do, and how to reach us if you find a hole.
Account safety
- No passwords. We use Supabase Auth magic links. There is no password to leak.
- Signed action links. The links inside our emails (mark task done, confirm earnings) are signed with an HMAC secret and expire after 24 hours. They cannot be forged or replayed.
- Rate limits. Auth endpoints are rate-limited per IP and per email. Login attempts spike a slow lockout.
Data protection
- All traffic is served over HTTPS. HSTS is enabled.
- Data at rest is encrypted by Supabase (Postgres) and Vercel (storage and logs).
- We use row-level security in Supabase so a logged-in user can only read their own rows. Service-role keys live on the server and are never shipped to the browser.
- Backups run daily and are retained for 7 days. Restore is tested quarterly.
AI providers and zero retention
We send your content to OpenAI and ElevenLabs to power the daily plan, critique, and voice features. Both providers operate under zero-data-retention API agreements with us. They do not store the content beyond the request, and they do not train models on it.
Reporting a vulnerability
We welcome coordinated disclosure. If you have found a security issue, please email security@artha.app with:
- A short description of the issue and where you found it.
- The minimal steps needed to reproduce it.
- Your name or handle if you would like credit on the acknowledgments page.
We respond within 72 hours. We will not pursue researchers who act in good faith, do not access other users' data, and give us reasonable time to fix.
PGP key for security reports is on request from the same address.