Water logoWaterApplySign in

Legal

Security & Responsible Disclosure

Last updated: May 23, 2026

WaterApply takes the security of user data seriously. This page describes our security practices at a high level and our policy for security researchers who want to responsibly report a vulnerability.

1. Our Security Practices

1.1 Encryption

  • All connections to the Service use HTTPS with TLS 1.2 or higher.
  • Data at rest is encrypted by our cloud sub-processors (Supabase storage, Stripe, Railway, Resend).

1.2 Authentication

  • Passwords are hashed and salted by Supabase Auth using industry-standard algorithms.
  • Session tokens are signed and short-lived; refresh tokens are rotated.
  • API tokens issued to the browser extension are scoped to the user's account.

1.3 Authorization

  • The database uses row-level security so each user can only read and write their own rows.
  • Server-side server actions and API routes verify the requesting user matches the owner of the target row before performing any operation.

1.4 Operational

  • Production secrets are stored in our hosting provider's encrypted environment variable store, not in source control.
  • We monitor for failed login bursts and rate-limit sensitive endpoints.
  • Dependencies are updated regularly. We track security advisories for the runtimes and libraries we depend on.

1.5 Sub-processors

We use carefully selected sub-processors (Supabase, Anthropic, Stripe, Resend, Railway, PostHog, Sentry) listed in our Privacy Policy. Each is bound by a data processing agreement and maintains its own security certifications (SOC 2 and similar).

2. What We Do NOT Guarantee

No system is 100% secure. We do not guarantee that the Service is impervious to attack and we are not responsible for incidents caused by:

  • Compromise of your account credentials due to phishing, malware, or password reuse.
  • Compromise of your local device.
  • Outages or breaches at third-party services on which we depend.

3. Security Incident Notification

If we become aware of a security incident affecting your personal information, we will notify you and applicable supervisory authorities as required by GDPR, UK GDPR, PIPEDA, Quebec Law 25, CCPA, and any other applicable breach-notification laws. Notice will describe the nature of the incident, the categories of data involved, the likely consequences, and the mitigation steps taken.

4. Responsible Disclosure

4.1 We Welcome Reports

If you believe you have found a security vulnerability in WaterApply, we want to hear from you. We commit to working with security researchers acting in good faith.

4.2 Safe Harbour

Provided you:

  • act in good faith,
  • do not exfiltrate or alter user data beyond what is needed to demonstrate the vulnerability,
  • do not perform attacks that would disrupt the Service for other users (no DoS, no social engineering of our staff or processors),
  • give us a reasonable opportunity to respond before public disclosure,
  • and comply with all applicable laws,

we consider your activity authorized for the purpose of applicable computer-crime laws and we will not pursue civil action or refer the matter to law enforcement.

4.3 In Scope

  • The waterapply.app website and any subdomain.
  • The WaterApply web application.
  • The WaterApply browser extension.
  • Public APIs.

4.4 Out of Scope

  • Vulnerabilities in third-party services (Stripe, Supabase, Anthropic, Resend, Railway, Chrome Web Store) — report those to the relevant vendor.
  • Reports based solely on automated scanner output with no demonstrated exploit.
  • Self-XSS, content spoofing without a real impact, missing security headers without a demonstrated exploit, denial of service.
  • Issues that require physical access to a user's device, an outdated browser, or unlikely user interaction.
  • Social engineering of WaterApply staff, processors, or users.
  • Brute force, rate-limit, or credential-stuffing tests against production accounts.

4.5 How to Report

Email waterapply1@gmail.com with the subject line "Security Disclosure". Please include:

  1. A description of the vulnerability and its impact.
  2. Reproduction steps, including any required HTTP requests or proof-of-concept code.
  3. Affected URLs, endpoints, or extension features.
  4. Your name and a contact channel (optional; anonymous reports accepted).

4.6 Our Response

  • We aim to acknowledge receipt within five business days.
  • We will investigate and keep you informed of progress.
  • We will credit you in any public advisory at your option (or keep your name out of it if you prefer).
  • We do not currently operate a paid bug bounty program. We may at our discretion provide swag, account credit, or thank-you mention.

5. PGP / Encrypted Reports

We do not currently publish a PGP key. If you need to send a particularly sensitive report and would prefer encryption, email us first and we will arrange a secure channel.

6. Public Disclosure

We ask researchers to give us a reasonable window to remediate before publicly disclosing a vulnerability — typically 90 days, or sooner if a fix has shipped.

7. Contact

waterapply1@gmail.com