Security Overview

Authenticated users are scoped to their organization membership and role before accessing owner portal or admin APIs.

Team role changes, member invitations, and member removals are written to the audit log with actor and target metadata.

Supabase public tables are protected by row-level-security enforcement and public role revocation migrations.

External integration credentials are encrypted at rest and decrypted only for configured integration jobs and connection tests.

Checkout and billing use Stripe-hosted payment flows; full card numbers, card security codes, and bank credentials are not stored by trialbridge.

Customer data export and owner-confirmed tenant deletion endpoints are available for privacy operations.

CI runs lint, typecheck, tests, production build, dependency vulnerability audit, CodeQL analysis, secret scanning, and CycloneDX SBOM generation.

Production release uses a go-live gate with migration deploy, main-branch push, and Vercel production verification.

Send suspected vulnerabilities to support@trytrialbridge.com with Security Report in the subject.

Include affected URL, impact, reproduction steps, screenshots or request IDs when safe, and whether customer data may be affected.

Do not access, modify, delete, or exfiltrate data that does not belong to you while validating a report.