Security

RepWorth protects review, billing, and approval data with scoped access, hashed approval tokens, and explicit owner approval before posting.

Vulnerability disclosure

Report suspected vulnerabilities to security@repworth.net. We will acknowledge receipt, investigate in good faith, and avoid legal action for good-faith research that avoids data destruction, service disruption, and access to other customers' data.

Current status

Approval tokens are stored as SHA-256 hashes, not raw tokens.
Customer-facing posting requires explicit owner approval.
Tenant access is app-scoped and protected by RLS on authenticated reads.
Likely PHI in imported review text is blocked before persistence or logging.
SOC 2 audit is not yet complete.

Legal and privacy

See Privacy, Terms, and Sub-processors.