1. Our Security Commitment
Screenplay Studio is built with security at its core. Your screenplays, stories, and creative works are valuable intellectual property, and we treat them with the highest level of care. This policy outlines the technical and organizational measures we employ to protect your data.
2. Infrastructure Security
Our infrastructure is designed for reliability, performance, and security:
- Vercel Edge Network: Our application is deployed on Vercel's global edge network, providing low-latency access with built-in DDoS protection and automatic failover across multiple regions.
- Supabase Managed PostgreSQL: Our database runs on Supabase's managed PostgreSQL infrastructure hosted in the EU (Frankfurt), with enterprise-grade security controls, automated patching, and continuous monitoring.
- Geographic redundancy: Data is replicated across multiple availability zones to ensure high availability. Backups are stored in geographically separate locations for disaster recovery.
3. Application Security
We implement multiple layers of application-level security:
| Protection | Implementation |
|---|---|
| CSRF Protection | Anti-CSRF tokens are used on all state-changing requests, preventing cross-site request forgery attacks. |
| XSS Prevention | All user input is sanitized and escaped before rendering. React's built-in XSS protections are complemented by strict Content Security Policy headers. |
| SQL Injection Prevention | All database queries use parameterized queries through Supabase's client library, eliminating SQL injection vectors. |
| Rate Limiting | Middleware-level rate limiting protects all API endpoints from abuse, with progressive backoff for repeated violations. |
| CSP Headers | Strict Content Security Policy headers restrict resource loading to trusted origins, mitigating injection and data exfiltration risks. |
| Input Validation & Sanitization | All user input is validated on the server side with strict type checking, length limits, and content sanitization before processing or storage. |
4. Authentication & Identity
We use Supabase Auth for secure, industry-standard authentication:
- Password hashing: All passwords are hashed using bcrypt with a unique salt per user. We never store plain-text passwords.
- Session management: Session tokens are issued as httpOnly, Secure cookies with SameSite attributes, preventing client-side JavaScript access and cross-site attacks.
- Email verification: All accounts require email verification before gaining full access to the platform.
- Suspicious login detection: We monitor for unusual login patterns, including logins from new devices, unexpected geographic locations, and rapid successive authentication attempts. Suspicious activity triggers additional verification steps.
5. Encryption
Your data is encrypted at every stage:
At Rest
All data stored in our database and file storage is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies.
In Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure transport protocol. We enforce HTTPS on all connections.
Backups
All database backups are encrypted before storage and kept in geographically separate, access-controlled locations. Backup encryption keys are managed separately from data encryption keys.
6. Access Controls
We enforce strict access controls at multiple levels:
- Row Level Security (RLS): PostgreSQL Row Level Security policies ensure that database queries can only return data the authenticated user is authorized to access. This provides a security guarantee at the database level, independent of application logic.
- Role-based access: Users are assigned roles (owner, editor, viewer) that determine their permissions within projects and across the platform.
- Project-level permissions: Each project has granular permission settings controlling who can view, edit, comment on, or manage the project and its contents.
- Admin panel restrictions: Administrative functions are restricted to authorized personnel with elevated credentials, separate authentication, and full audit logging of all administrative actions.
7. Monitoring & Detection
We continuously monitor our systems to detect and respond to threats:
- Request & error logging: All API requests and errors are logged with relevant metadata for security analysis and debugging.
- Anomaly detection: Automated systems monitor for unusual patterns in traffic, authentication attempts, data access, and API usage that may indicate an attack or compromise.
- Real-time alerts: Critical security events trigger immediate alerts to our engineering team, enabling rapid response to potential incidents.
8. Vulnerability Disclosure Program
We welcome responsible security research and vulnerability reports from the community.
Reporting a Vulnerability
If you discover a security vulnerability in Screenplay Studio, please report it responsibly:
- Email: security@screenplaystudio.fun
- Disclosure timeline: We follow a 90-day coordinated disclosure timeline. We ask that you give us 90 days from your report to address the vulnerability before making any public disclosure.
- Recognition: We recognize and credit security researchers who responsibly report valid vulnerabilities. With your permission, we will acknowledge your contribution publicly.
What We Ask
- Do not access or modify other users' data
- Do not perform denial-of-service attacks
- Do not use automated scanning tools without prior authorization
- Provide sufficient detail for us to reproduce the issue
9. Incident Response
We maintain a structured incident response process:
Detect
Identify the security incident through monitoring, alerts, or external reports.
Contain
Immediately isolate affected systems and prevent further damage or data exposure.
Assess
Determine the scope, severity, and impact of the incident, including what data may be affected.
Notify (within 72 hours)
Notify affected users and relevant supervisory authorities within 72 hours of confirming a data breach, as required by GDPR.
Remediate
Fix the root cause, patch vulnerabilities, and restore affected systems to full operation.
Post-mortem
Conduct a thorough review of the incident, document lessons learned, and implement preventive measures.
10. Compliance
Screenplay Studio is designed to comply with major data protection regulations:
- GDPR (General Data Protection Regulation) — We comply with all GDPR requirements for EU users, including data subject rights, lawful processing bases, and cross-border transfer safeguards. See our Data Processing Agreement for details.
- CCPA (California Consumer Privacy Act) — California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. See our Privacy Policy for CCPA-specific disclosures.
11. Security Updates
We maintain the security of our platform through:
- Regular dependency updates and vulnerability patching
- Automated security scanning of our codebase and dependencies
- Prompt application of critical security patches (within 24 hours for critical vulnerabilities)
- Version-controlled deployments with rollback capability
12. Penetration Testing
We conduct annual penetration testing performed by qualified independent security professionals. These assessments cover:
- Web application security testing (OWASP Top 10)
- API security assessment
- Authentication and authorization testing
- Infrastructure and configuration review
Findings are prioritized by severity and addressed promptly. Critical and high-severity findings are remediated immediately, with verification testing to confirm fixes.
13. Contact
For security concerns or questions about this policy:
- Security issues: security@screenplaystudio.fun
- General inquiries: support@screenplaystudio.fun