Security

DebateTalk runs on Supabase (PostgreSQL database and authentication) and is deployed on Vercel (frontend) and a cloud compute provider (API). All traffic is encrypted in transit using TLS 1.3. Data at rest in PostgreSQL is encrypted using AES-256.

Supabase is SOC 2 Type II certified. Our infrastructure providers maintain their own compliance programs; details are available from their respective trust pages.

Authentication is handled by Supabase Auth. Passwords are hashed with bcrypt and never stored in plaintext. OAuth tokens (Google) are short-lived and are never persisted in our database. API access uses short-lived JWT tokens signed with RS256; tokens expire and must be refreshed by the client.

API keys for programmatic access are hashed before storage. You should treat API keys like passwords - do not commit them to source control or share them.

Debate history is associated with authenticated user IDs enforced at the database level via row-level security (RLS) policies. API endpoints are protected by JWT verification middleware; unauthenticated requests are rejected before reaching any data layer.

Redis cache keys are namespaced per user. Rate-limit counters are stored separately from debate content and contain no personally identifiable information.

To run a debate, your question text is sent to third-party AI model providers (Anthropic, OpenAI, Google, OpenRouter). We operate under zero data retention agreements where available. Under these agreements:

• Providers do not log or store your inputs and outputs beyond serving the request.
• Your data is not used to train or fine-tune any AI model.
• Requests are sent over TLS-encrypted connections.

For Enterprise customers with Ephemeral Mode enabled, debate content is streamed directly to your browser and is never written to our database. Only usage counters (no question text) are recorded.

Enterprise plans include:

• Ephemeral Mode - zero debate content stored server-side.
• SOC 2 report - available under NDA on request.
• HIPAA BAA - available for qualifying use cases.
• Dedicated support - direct access to our security team for review.
• Audit logs - full per-user activity logs for compliance review.

Contact enterprise@debatetalk.ai to discuss Enterprise security requirements.

We take security vulnerabilities seriously. If you discover a security issue in our platform, please report it responsibly:

Our process:

• Acknowledgement - within 24 hours of your report.
• Assessment - severity and impact evaluated within 5 business days.
• Fix - critical issues patched within 7 days; others within 30 days.
• Disclosure - coordinated public disclosure after the fix is deployed.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We will not take legal action against researchers acting in good faith under this policy.

• Authentication and authorization bypasses.
• Cross-site scripting (XSS) or injection vulnerabilities in debatetalk.ai.
• Insecure direct object references (IDOR) - accessing another user's data.
• Sensitive data exposure in API responses.

Out of scope: denial-of-service attacks, social engineering of our staff, and vulnerabilities in third-party services we do not control.

Subscribe to our security announcements at legal@debatetalk.ai or follow our changelog for security-related updates.