Security at STEMIND

All 31 database tables in our Supabase PostgreSQL instance have RLS explicitly enabled and forced — including alembic_version, papers, users, labs, library_items, and all research tables. Even if someone obtained raw database credentials, they would be blocked at the row level.

Every API request requires a signed JWT token (HS256, 2-hour expiry). Tokens are injected via HTTP interceptors. On expiry, users are automatically redirected to the login flow. Session cookies are removed on logout.

Our PDF proxy endpoint validates all outbound URLs before making any request. It blocks: localhost/127.x.x.x, 169.254.x.x (link-local), RFC 1918 private ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x), and non-HTTP/HTTPS protocols. This prevents internal network scanning.

All PDF uploads are capped at 15MB on both the frontend (client-side) and backend (server-side). Requests exceeding this return HTTP 413. This prevents memory-based DoS attacks from oversized files.

Lab member invitations are rate-limited to 20 per user per 24-hour window, enforced via Redis-backed counters. Exceeding the limit returns HTTP 429 with a clear error message. This prevents email quota abuse and spam.

Our database runs on Supabase's managed PostgreSQL infrastructure. Supabase provides: automatic daily backups, TLS encryption in transit, at-rest encryption (AES-256), and SOC 2 Type II certification. We connect via the PgBouncer connection pooler on port 6543.

We collect only the data needed to run the service. Users can delete their account at any time via the settings page. We do not sell or share personal data with third parties. AI features send only anonymized research text to OpenAI APIs.

All API and web traffic is served over HTTPS/TLS. HTTP connections are automatically redirected. PDF files fetched from external sources are proxied through our backend — external servers never see your IP address.