Security

We assume hostile users. Then we build anyway.

SpiralDeck holds project data, screenshots and activity telemetry for many tenants on shared infrastructure. Security isn't a checklist bolted on at the end — it's the contract for how we build, ship and respond. This is the summary; the full model lives in our repo.

Report a vulnerability Trust & compliance

Pre-launch · VDP and bug bounty open before public GA

SpiralDeck Trust boundaries
request path

Untrusted

Browser / mobile
Desktop app

JWT claims are evidence, not authority.

Edge

WAF / TLS

Re-validated

API · authz per request
Postgres · RLS
Blobs · signed URLs

invariant ·Everything left of the API is untrusted. The API re-validates tenant, role and resource scope on every single request.

Isolation at the database layer

One tenant can never see another

App-layer filters are fallible — a single forgotten WHERE clause leaks data. So isolation lives in Postgres itself. Every multi-tenant table carries a tenant_id, and Row-Level Security policies enforce it. A query that arrives without a tenant context doesn't return everything — it fails closed.

  • tenant_id on every multi-tenant table
  • RLS policies are the backstop, not app code alone
  • SET LOCAL app.current_tenant per transaction
  • No tenant context → the query returns nothing
policy · tasks enforced
-- isolation is in the DB, not the app
ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;

CREATE POLICY tenant_isolation ON tasks
  USING (tenant_id = current_setting(
    'app.current_tenant')::uuid);

-- attacker forges a tenant in the JWT

app=> SELECT count(*) FROM tasks;

denied 0 rows — no tenant context set

Threat model

The attackers we design for

We don't guess at threats — we enumerate the adversaries most likely to come at a multi-tenant work tracker, and build the controls that stop each one.

01

Cross-tenant snooper

An authenticated customer probing for any read, write or list across a tenant boundary — the most likely real-world threat.

02

Privilege climber

A workspace user trying to escalate to admin inside their own tenant.

03

Forged upload

A tampered desktop app or stolen device pushing fabricated captures or telemetry.

04

Anonymous prober

An external attacker hammering public endpoints and login flows.

05

Insider misuse

A SpiralDeck employee abusing internal tooling — gated, scoped, and impersonation-audited.

06

Supply chain

A compromised dependency or build pipeline — countered with SCA gates, SBOMs and signed artifacts.

What we're protecting

sensitivity drives the controls

Cross-tenant project data Critical
Screenshots Critical
Auth credentials & sessions Critical
Activity telemetry High
Billing data (via Stripe, no PAN stored) High

Security architecture

Ten principles, non-negotiable

These hold on every pull request. They're not aspirations — they're the bar code has to clear to ship.

01

Tenant isolation in the database

Postgres Row-Level Security is the backstop, not an app-layer WHERE clause. Queries without a tenant context fail closed.

02

Default-deny authorization

Every endpoint, resolver and websocket message re-checks auth → tenant → role → resource scope. New routes opt in to a permission.

03

The desktop app is untrusted

mTLS with per-install certs, short-lived workspace-scoped upload tokens, server-side validation. No long-lived secrets on the client.

04

Capture encrypted at rest

Per-tenant envelope encryption (KMS-managed keys). Blobs stored apart from metadata so a metadata leak reveals nothing.

05

Anonymized signals only

Activity counts, app and tab titles — never keystrokes, clipboard, file contents, URL paths or DOM. There is no code path to read them.

06

Consent & transparency

Capture state is always visible. Users review their own data first. Admins cannot enable capture retroactively.

07

Audit everything privileged

Role changes, capture toggles, exports, SSO/SCIM config and impersonation are hash-chained, append-only, and exportable.

08

Secret hygiene

No long-lived tokens in clients, short-lived signed URLs for blobs, per-environment CI secrets, no developer access to production secrets.

09

Dependencies & supply chain

Committed lockfiles, SCA on every PR blocking critical CVEs, an SBOM per release, hardened CI, signed artifacts.

10

Threat-modeling gate

Any PR touching identity, billing, capture or cross-tenant data ships a Security-notes section — or it is blocked at review.

See how capture privacy works in the desktop app

Privacy & assurance

Built toward the assurances enterprises require

SpiralDeck is pre-launch, so these are commitments with their windows in motion — not attestations we're pretending to already hold.

Independent security audit

A third-party audit of our controls runs during private beta; the report is available to customers under NDA once it closes.

Data Processing Addendum

A DPA is available to every customer, covering processing roles, our subprocessors and how data is handled.

Data-subject request tooling

Access, export and erasure of personal data are built into the admin surface — one mechanism, every customer.

Data residency

EU and US regions at GA; more regions on enterprise demand.

Subprocessor list, uptime and the security whitepaper live on the trust & compliance page.

Responsible disclosure

Found something? Tell us privately.

Good-faith research that follows this policy is authorized — we won't pursue legal action against researchers who play by the rules below.

How to report

Email us with a clear description and impact, the smallest reproduction you can manage, the affected endpoint or version, and your proposed severity. Please don't open a public issue. Tell us if you'd like public credit when the fix ships.

hi@spiraldeck.com subject: [security]

PGP key + .well-known/security.txt published once the production domain is live.

Safe harbor

  • Test only your own tenant and accounts you own
  • Never access, modify or exfiltrate another tenant's data
  • No denial-of-service tests against shared infrastructure
  • No social engineering of staff or customers
  • Give us a reasonable window to fix before disclosing

Response targets

We keep you informed through triage and tell you when the fix lands. We ask that you hold public disclosure until a fix ships and we've coordinated a date.

SeverityAckTriageFix

Critical

RCE, tenant break, full data exfil

< 24 h< 72 h< 7 d

High

Auth bypass, IDOR, privilege escalation

< 48 h< 7 d< 30 d

Medium

< 7 d< 14 dnext minor

Low / info

< 14 dbest effortbest effort

Targets, not contractual SLAs, while we're pre-GA.

The full policy — what to include, response targets, safe-harbor terms and what's in and out of scope.

Read the disclosure policy

Security you can read, not just trust.

The full threat model, isolation design and disclosure policy live in the open. Start free and see how a work tracker earns the right to capture work.

Start free Trust & compliance