Security
This page is maintained by the app owner and describes enabled, app-visible controls. It is not a certification. Last updated: July 2026.
1. Transport and network
All traffic between your browser and Spacecraft Analytics is served over HTTPS. Modern TLS configuration is provided by the Spacecraft hosting platform. Requests made by the app to third-party market-data providers are also made over TLS. Mixed-content requests are not permitted from the app surface.
2. Authentication and session
Access to your account is scoped to a signed-in session established through the Spacecraft identity system. Whatever sign-in method you configured with Spacecraft (corporate SSO, Google, email/password) determines how you authenticate; the app itself never sees your password.
Sign out from the Account menu when you finish using a shared device. If you suspect your account has been accessed without permission, rotate the credential you use with Spacecraft and contact the app owner.
3. Authorization and data isolation
Journal entries and preferences are scoped to your account identifier. Backend reads and writes on user-owned data are gated by row-level security in the underlying database, so a request cannot return another user's rows even if the client asks for them.
Administrative operations that need to bypass row-level security run only inside trusted server code paths (verified webhooks, admin utilities) and are never exposed to the browser.
4. Secrets management
API keys, service-role credentials, and webhook secrets used by the app are stored as platform secrets and injected into the server runtime at execution time. They are not embedded in the client bundle, not committed to source control, and not readable from the browser.
5. Input validation and abuse controls
Server functions validate their inputs before touching the database or calling external services. Public endpoints under /api/public/* verify the caller (for example webhook signatures) before processing any payload. Rate limiting and standard platform protections apply at the edge.
6. Data at rest and backups
User data is stored in a managed Postgres database provided through the Spacecraft platform, which applies encryption at rest and routine backups at the infrastructure level. The app owner does not operate a separate database.
7. Logging and monitoring
Server-side logs capture request metadata, error traces, and function execution outcomes to support debugging and abuse response. Logs avoid recording secret values and are retained on a rolling operational window before rotation.
8. Third-party dependencies
The app depends on a small set of providers — Spacecraft (hosting, identity, database, AI gateway) and CoinGecko (public market data). Each provider maintains its own security posture. A vulnerability at a provider can indirectly affect the app; the app owner will act on advisories from these providers when relevant.
9. Client-side hygiene
The app avoids injecting untrusted HTML into the DOM, does not use dangerouslySetInnerHTML with user-supplied content, and renders user-provided text as normal React text nodes. Browser storage is used only for non-sensitive session and preference data.
10. What we do not claim
The app owner does not claim end-to-end encryption of user content, does not claim zero known vulnerabilities, and does not claim compliance with SOC 2, ISO 27001, PCI DSS, HIPAA, or similar frameworks. Statements on this page describe current controls, not an audited program.
11. Reporting a security issue
If you believe you have found a security vulnerability in Spacecraft Analytics, contact the app owner privately with enough detail to reproduce the issue. Please avoid public disclosure until the issue has been reviewed and remediated. The app owner appreciates good-faith research and will not pursue action against researchers who follow responsible disclosure and do not exfiltrate, degrade, or destroy user data.