attr.so
FeaturesAboutChrome ExtensionFree toolsBlogPricingSign inSign up free
FeaturesAboutChrome ExtensionFree toolsBlogPricingSign inSign up free

Security at Attr.so

Security and privacy are part of every release. This page summarises how we protect your data, who we work with, and how to reach our security team.

Compliance

SOC 2 Type IIPlanned
On the roadmap. Audit window starts when we cross 50 paying teams on Pro or higher.
GDPRCompliant
Data Processing Agreement available on request. EU subprocessors only when required.
CCPACompliant
California Consumer Privacy Act compliant.

Security controls

Encryption at rest
All data in Postgres is AES-256 encrypted at rest. Per-account secrets (webhook signing keys, OAuth tokens) are additionally AES-GCM encrypted at the application layer with a key never stored in the database.
Encryption in transit
TLS 1.3 enforced on every endpoint. Strict-Transport-Security with preload.
Authentication
Email + password with strong rules, OAuth (Google, GitHub, Facebook, LinkedIn, Twitter), TOTP-based MFA, and WebAuthn passkeys.
Authorisation
Postgres RLS on every table. Permission-string RBAC at the account level with custom roles on Expert.
Audit logs
Every privileged action is recorded in an account-level audit log (90-day retention, configurable, CSV export).
Backups
Continuous WAL backups with 7-day point-in-time recovery via Supabase.
Vulnerability scanning
Dependabot for dependencies; CodeQL for source. Sentry for runtime monitoring.
Incident response
24-hour acknowledgement; 72-hour notification to affected customers when their data is impacted.

Subprocessors

Third parties that process customer data on our behalf. We notify customers of changes via the changelog.

ProviderPurposeDataLocation
SupabaseDatabase, auth, storageAll app dataus-east-1
VercelApplication hostingRequest logs, build artifactsGlobal edge
CloudflareEdge / DDoS protectionRequest metadataGlobal edge
UpstashRate limit + cacheIP + request countsGlobal
StripePaymentsBilling detailsUS, EU
ResendTransactional emailEmail + nameUS
SentryError monitoringStack traces, request contextUS

Documents

  • Privacy Policy
  • Terms of Service
  • Data Processing Agreement

Report a vulnerability

If you believe you've found a security issue, please email security@attr.so. We aim to acknowledge within one business day.

attr.so

Privacy-first, developer-friendly link management software

Product
  • Features
  • Chrome Extension
  • Free tools
  • Pricing
  • Docs
  • API reference
  • Changelog
  • Roadmap
Company
  • About
  • Blog
  • Help
  • Feature requests
  • Support
  • Status
Legal
  • Privacy
  • Terms
  • Security
© 2026 Attr.so - All rights reserved
Built by Apptimistic