Security
Security posture.
StoryHQ handles confidential creative material. This page describes the concrete controls currently built into the product and the limits of those controls.
Last updated 1 June 2026
01
Workspace isolation
Projects, materials, generated reports, draft comparisons, notes, Q chat, workspace messages, activity events, pinned projects, and member records are scoped to a workspace.
Database access is protected with Supabase row-level security policies. Server code also checks workspace membership before returning materials, reports, messages, and app data.
Service-role database access is kept server-only and is paired with explicit workspace, entitlement, and role checks in the server actions and API routes that need elevated privileges.
02
Authentication and access
StoryHQ supports email/password accounts and OAuth sign-in with configured providers such as Google and Apple. Passwords must meet the product password policy, and password-reset flows require a short-lived recovery marker after email verification.
Signed-in app sessions are gated by a second factor. Users without a stronger factor complete email OTP verification per session; users with verified authenticator-app MFA complete the authenticator challenge; passkey/WebAuthn sessions are recognized where enabled.
A 15-minute idle timeout clears the app session after inactivity. Workspace owners and administrators control invitations and roles. Individual workspaces are solo-only. Team invitations and access are gated by plan and seat rules.
03
Material storage and access
Uploaded files are stored in private Supabase Storage buckets, not public buckets. Uploads use signed upload URLs. Viewing or downloading material goes through StoryHQ routes that verify workspace access.
Served PDFs are forensically watermarked with viewer identity and access time. The watermark is applied before streaming the file and the route fails closed if watermarking cannot be completed.
Reader-role users can view permitted material inline but cannot download material or export/share reports and comparisons. Report and comparison export links are short-lived signed links and exported PDFs are watermarked for the user or named recipient.
04
AI processing
StoryHQ’s AI pipeline must read uploaded material to extract metadata, classify format, run analysis, generate notes, compare drafts, and answer project questions. This means StoryHQ is not end-to-end encrypted or zero-knowledge.
The app is designed to avoid logging raw material text in application logs where possible. Model calls, cost data, status, prompts, responses, and audit metadata may be processed or logged where needed to provide the requested feature, debug failures, monitor reliability, and track cost.
Model-provider handling, retention, and compliance terms are governed by the provider accounts and terms used to operate the service. Users should not upload material if their confidentiality, employment, guild, union, production, or rights obligations prohibit this kind of AI processing.
05
Application and browser controls
- Rate limits protect sensitive flows such as authentication and analysis requests.
- Server actions and API routes validate inputs with schemas where practical.
- Entitlement checks are repeated on route handlers and server actions, not only in the page layout.
- Billing state is written server-side from Stripe webhooks and server-side synchronization.
- Project access, material access, report access, exports, and deletion flows are checked against the current workspace.
- Security headers include HTTPS Strict Transport Security, a nonce-based Content Security Policy, frame-ancestor blocking, MIME sniffing protection, a restrictive referrer policy, and a permissions policy disabling camera, microphone, geolocation, and browsing-topics APIs.
06
Operational monitoring
StoryHQ uses error reporting, structured events, health checks, audit events, and background job status to monitor the service. Inngest handles durable background work for extraction and analysis.
Security review is an ongoing workstream. StoryHQ does not currently claim SOC 2 certification, ISO 27001 certification, HIPAA compliance, or a completed third-party penetration test.
07
Customer responsibilities
Users should use strong passwords, keep MFA enabled where available, invite only authorized collaborators, remove team members who no longer need access, avoid forwarding exports outside the intended group, and upload only material they are permitted to process.