Security Overview
A transparent snapshot of current product safeguards and the remaining launch hardening work.
Security posture
SpicaNova AI is built around a human-in-the-loop email workflow. The default product behavior is to read, score, draft, and ask before sending.
It is approval-gated by default: anything that reaches a person waits for your one-tap approval, and every automated action is logged with the reason it was taken, so you can always review why.
Production hardening is in progress. This page documents the current controls and the controls planned before broader launch.
Data protection
Integration tokens are encrypted before storage. Supabase row-level security is used for user-owned product data, and server-side service access is kept to backend routes.
Local Obsidian markdown export is disabled by default and is not part of the hosted product runtime.
Access controls
OAuth state checks protect connection flows, Slack webhook requests are signature-verified, cron routes require authorization, and test routes are hidden outside development.
User-facing write actions such as sending a draft are tied to authenticated product or verified integration flows.
Monitoring roadmap
The next production hardening step is error monitoring with Sentry or Vercel monitoring, followed by a production smoke test checklist.
Formal security reviews, audit evidence, and SOC 2 work are planned for later stages.
Report an issue
Please send suspected security issues to hello@spicanova.ai with enough detail for us to reproduce and investigate.