Security at StartSalam

StartSalam is built on a modern, security-first stack. We follow the principle of least privilege: by default, no one can access data they don't need. Every request is authenticated, every database query is scoped to the signed-in user, and every uploaded file is validated before it touches the platform.

Our database, authentication, and storage run on Supabase, managed through Lovable Cloud, hosted in the AWS US East (N. Virginia) region — us-east-1. Our web application is deployed to Cloudflare's global edge network, which also provides DDoS protection and a global CDN. Infrastructure runs from professionally-operated data centers with physical security controls.

All traffic between your device and StartSalam is encrypted with TLS 1.2 or higher (HTTPS). Data stored in our database and file storage is encrypted at rest using AES-256, the same standard used by banks and governments.

Authentication is handled by Supabase Auth. Passwords are hashed using a modern one-way algorithm and a unique salt per user — they are never stored in readable form. We also support Google sign-in, so you can use your existing Google account without creating another password.

Every table in our database has Row-Level Security enabled. RLS policies are enforced by the database itself — not just by application code — so even in the unlikely event of a software bug, the database will refuse to return data to anyone who isn't allowed to see it. Admin and moderator access is granted through a separate, audited roles table to prevent privilege escalation.

Profile avatars are public so they can appear next to your posts. Uploaded videos are stored in a private storage bucket and served through short-lived signed URLs. If you set your profile to private, only approved followers can view your videos, and the URLs expire shortly after they're generated.

StartSalam combines automated safety systems with human moderators:

• Automated keyword filters auto-hide content containing severe hate speech, sexual content, or violence.
• Image and video scanning via Sightengine flags unsafe media at upload time.
• AI-assisted review via Google Gemini suggests moderation actions to admins — but only humans approve them.
• Rate limits at the database level prevent spam and abuse (20 posts/hour, 60 comments/hour, 120 messages/hour).
• Reports: when 3 or more distinct users report the same post, it is automatically hidden pending review.
• Repeat-offender detection auto-suspends or bans accounts with multiple confirmed violations.
• Audit log: every moderation decision (human or AI) is recorded with the actor, reason, and before/after state.

Our database is backed up automatically every day by our infrastructure provider, with point-in-time recovery available. Backups are encrypted and stored in geographically separate locations so we can recover quickly from hardware failure or accidental loss.

StartSalam is committed to protecting user access to their information. Our platform is built on industry-standard technologies and infrastructure that support data portability and long-term continuity.

Users may request access to their personal information in accordance with applicable privacy laws. In the event of a future platform migration, ownership transition, or infrastructure change, StartSalam will make reasonable efforts to preserve user accounts, content, and service continuity.

We regularly maintain backup and recovery procedures designed to support the reliability and availability of the platform.

We use a small set of trusted providers, each governed by a data-processing agreement:

• Supabase — database, authentication, file storage
• Cloudflare — hosting, CDN, DDoS protection
• Sightengine — image and video safety scanning
• Google (Gemini via Lovable AI Gateway) — moderation classification
• Lovable — platform host and operator

None of these providers use your content for their own advertising or to train AI models on your behalf.

If you believe you've found a security vulnerability, please report it privately so we can fix it before it can be exploited.

• Email: security@startsalam.com
• Please include a clear description, steps to reproduce, and any proof-of-concept.
• Do not publicly disclose the issue until we've had a reasonable opportunity to address it.
• We will acknowledge your report within a few business days and keep you updated as we work on a fix.

We're grateful to the security researchers who help keep StartSalam safe.