Security

All traffic to and from adly.media is served over HTTPS with modern TLS, terminated at the edge by Vercel. Insecure HTTP requests are redirected to HTTPS automatically.

• Sign-in is handled by Supabase Auth. You can sign in with email and password, Google, or Microsoft.
• Passwords are hashed by Supabase using bcrypt and are never stored in plain text.
• OAuth flows use the standard PKCE protocol so the authorization code can't be replayed by an interceptor.
• Session cookies are HTTP-only, Secure, and SameSite=Lax to protect against common cookie-based attacks.

• Application data is stored in a managed Postgres database operated by Supabase, encrypted at rest.
• Tables are protected by Row-Level Security policies so each user can only read and write their own rows.
• Backups are managed by Supabase under their standard policy.

Payments run through Stripe. Card details are entered into a Stripe-hosted element and posted directly to Stripe — Adly never sees, transmits, or stores your full card number, CVC, or expiration. Stripe is PCI-DSS compliant; that compliance, by extension, covers the payment data flowing through Adly.

• Server-side code runs on Vercel's serverless infrastructure with isolation between requests.
• API endpoints validate the signed-in user via Supabase before reading or writing data.
• Input from forms and uploads is validated and length-capped before being persisted.
• Dependencies are kept current; we monitor security advisories from npm and our infrastructure providers.

We’re a small, early-stage team and we’re upfront about the work still ahead. We don’t yet have SOC 2, ISO 27001, or equivalent third-party security certifications. Two-factor authentication for accounts is on our roadmap but not live today. If you have specific security or compliance requirements before using Adly, get in touch at hello@adly.media.

If you believe you’ve found a security issue, please email hello@adly.media with steps to reproduce. We’ll acknowledge within two business days, work with you on the details, and credit you publicly once the issue is fixed (if you’d like). Please give us reasonable time to remediate before disclosing publicly, and don’t access data that isn’t yours during testing.