Security overview

How Äng protects your data and keeps the workspace secure. For privacy specifics — what data we collect and your rights — see the Privacy policy.

Infrastructure

Äng runs on Vercel (hosting and edge network) and Supabase (database, authentication, and object storage). Both providers maintain SOC 2 compliance and support data residency in the EU.

  • Vercel — HTTPS everywhere, DDoS protection, automatic TLS certificate renewal.
  • Supabase — Postgres with row-level security (RLS) enabled. Each user can only read and write their own boards and assets. Authentication uses Supabase Auth (OAuth via Google, magic link email).

Authentication

Supported methods are Google OAuth and email magic link. Passwords are never stored. Sessions are maintained via short-lived JWTs refreshed on every request. Supabase sessions are rotated on the server side using the @supabase/ssr library so tokens are never exposed in the browser URL.

Content Security Policy

Every page response includes a strict Content Security Policy (CSP) with a per-request cryptographic nonce. This means:

  • Only scripts explicitly injected by our server (carrying the correct nonce) can execute. Scripts from XSS attacks are blocked.
  • unsafe-inline is not permitted for scripts.
  • script-src includes blob: and wasm-unsafe-eval so the ONNX runtime can load blob worker bundles and compile WebAssembly for on-device background removal (narrower than unsafe-eval).
  • connect-src is restricted to a known allowlist of domains (Supabase, Sentry, Vercel, Hugging Face Hub and jsDelivr for on-device background removal / ONNX runtime assets, and OpenAI for optional voice transcription), blocking data exfiltration to arbitrary hosts.
  • object-src 'none' — no plugins or embedded objects.

CSRF protection

All state-changing API requests (POST, PUT, PATCH, DELETE) are verified against a CSRF token. Requests without a valid token are rejected with HTTP 403 before reaching any handler.

Data isolation

Row-level security in Supabase enforces that each authenticated user can only access their own boards, images, and metadata. This is enforced at the database level, not only in application code.

AI and third-party processing

AI image generation and editing use the Google Gemini API. When you generate or edit an image, the relevant prompt and image data are sent to Google for processing, governed by Google's API terms and privacy policy. Äng does not retain prompt data beyond what is necessary to display your results.

Your content is never used to train AI models by Äng or shared with third parties for advertising.

Error monitoring

Äng uses Sentry for error monitoring (EU – Frankfurt). Session replays are only recorded when an error occurs; all text is masked and all images are blocked in replays. See the privacy policy for full details.

Responsible disclosure

If you discover a security vulnerability, please report it using the in-app feedback form or contact us via the email address in your account settings. We will acknowledge reports within 48 hours and aim to resolve confirmed issues promptly. We ask that you give us reasonable time to address the issue before public disclosure.

← Back to home