fenly.io/security

Security

At Fenly, security is a core responsibility. This page documents our process for handling security vulnerability reports and our commitment to responsible disclosure.

Reporting a Vulnerability

If you discover a security vulnerability in Fenly or any of our services, please report it to us privately. We ask that you do not publicly disclose the issue until we have had the opportunity to address it.

Contact
security@fenly.io

Our Response Commitment

Within 48 hours

We acknowledge receipt of your report.

Within 7 days

We provide an initial assessment and expected resolution timeline.

Ongoing

We keep you informed of progress until the issue is resolved.

After fix

With your permission, we credit you in our release notes.

Scope

The following are in scope for security reports:

  • fenly.io — main web application
  • api.fenly.io — API endpoints
  • Fenly Figma Plugin (plugin ID: Fenly — Sync Design System)
  • Authentication flows (Clerk integration)
  • Data handling and storage (Supabase/PostgreSQL)

Responsible Disclosure Guidelines

When researching and reporting vulnerabilities, we ask that you:

  • Do not access, modify, or delete data belonging to other users.
  • Do not perform denial-of-service attacks or disrupt our services.
  • Do not publicly disclose the issue before we have resolved it.
  • Make a good-faith effort to avoid privacy violations and data destruction.
  • Only interact with accounts you own or have explicit permission to test.

Our Security Practices

Encryption in transit
All traffic is served over HTTPS/TLS.
Encryption at rest
Data stored in Supabase (PostgreSQL) with AES-256.
Authentication
Managed by Clerk — industry-standard OAuth & session management.
Dependency management
Regular automated dependency updates via Dependabot.
Access control
Least-privilege principles applied across all services.
Secret management
Secrets stored in Vercel environment variables, never in code.

Security Accreditations

Fenly is currently in early-stage development and does not hold formal certifications such as SOC 2, PCI DSS, HITRUST, ISO 27001, or SSAE 18. We are committed to pursuing SOC 2 Type II certification as we scale. In the meantime, we follow the security practices outlined above and work with industry-leading infrastructure providers (Vercel, Supabase, Clerk) that maintain their own compliance programs.

Last updated: March 2026

← fenly.io