Security
Security
Cited is built to preserve Evidence from the AI answers you choose to monitor, with workspace isolation and server-side secret handling as defaults. This page describes architectural foundations that are true for the product today. It does not claim formal compliance certifications.
1. Security overview
Cited uses Clerk authentication, workspace-scoped authorization, deny-by-default database access patterns, signed webhook verification, rate limiting on sensitive actions, and redacted logging.
Security controls are designed to reduce risk. They do not eliminate all risk, and this page is not a warranty, guarantee, or service-level commitment.
2. Workspace isolation
Product data is organized by workspace. Trusted server paths check membership and role before reading or writing tenant data.
Cross-workspace resource IDs return generic not-found outcomes rather than confirming existence.
3. Authentication
Sign-in and session security are handled by Clerk. Protected app, onboarding, checkout, billing, export, and integration routes require authentication.
You are responsible for protecting credentials and for promptly revoking access for former Authorized Users.
4. Billing security
Stripe hosts payment processing. Cited does not store card numbers.
Stripe webhooks verify signatures before processing. Client-supplied price IDs are not trusted for granting access.
5. Domain verification
DNS TXT verification helps confirm domain control before monitoring. Verification attempts are rate-limited, and tokens are not exposed to unauthorized roles.
6. Provider credential handling
DataForSEO, Resend, Stripe, Clerk, Supabase service-role, and related credentials stay on the server. They are never shipped to the browser.
7. Slack webhook handling
Customer Slack incoming webhook URLs are encrypted server-side and are not returned to the browser after save.
You are responsible for the security of destinations you configure and for rotating webhooks if compromised.
8. Email and unsubscribe security
Unsubscribe tokens are hashed. Invalid or expired tokens receive generic responses. Raw tokens are not logged.
9. Export security
Exports require authentication, workspace membership, role checks, history-window enforcement, rate limits, no-store caching headers, and CSV formula-injection protection.
Exports omit secrets, Slack webhook URLs, verification tokens, unsubscribe tokens, Stripe IDs, and raw provider payloads.
Once an export leaves Cited, you are responsible for safeguarding the downloaded file.
10. Data storage and backups
Workspace data is stored in Supabase with deny-by-default row-level security posture and server-side service-role access after authorization checks.
Backup and recovery practices follow the configured hosting and database providers. Cited does not independently guarantee recovery time objectives on this page.
11. Logging and redaction
Structured logs redact secrets, tokens, webhook values, prompt text, response text, note bodies, annotation bodies, source URLs, and raw provider payloads in normal operation.
12. Customer security responsibilities
Customers are responsible for: managing Authorized User access; protecting devices and credentials; configuring only authorized domains; securing Slack and email destinations; and reviewing exports before sharing them outside the workspace.
13. Security contact
Report security issues to hello@cited.cc.
Include the affected surface and reproduction steps. Do not include verification tokens, webhook URLs, or private customer data.
14. Responsible disclosure
Please report suspected vulnerabilities privately and give Cited a reasonable opportunity to investigate before public disclosure.
Cited does not currently operate a paid bug bounty program.
Good-faith research that complies with this page and applicable law is appreciated. Do not access other customers’ data, destroy data, or degrade Service availability.
15. Current limitations
This page does not claim SOC 2, ISO, HIPAA, or PCI certification beyond Stripe-handled payments. It also does not claim penetration testing, zero-trust architecture, end-to-end encryption, or guaranteed uptime.
Security is an ongoing practice. Controls evolve with the product. Statements on this page describe current design intent and may change.