Security

Last updated: June 13, 2026

Infrastructure

• The application runs on Vercel; data lives in Neon (managed PostgreSQL). Both encrypt data in transit (TLS) and at rest.
• All traffic to Upshot is HTTPS-only.
• The embeddable widget is iframe-isolated: it cannot read or touch the host page, and the host page cannot reach into the board.

Application

• Passwords are hashed with bcrypt; sign-in with Google (OAuth) is supported so you can avoid passwords entirely.
• Workspace data is isolated per organization at the query layer — every admin query is scoped to the authenticated workspace.
• Stripe revenue sync accepts restricted, read-only keys only (rk_…) — full secret keys are rejected. The key is used solely to read customer subscription amounts.
• Payments are processed by Polar as merchant of record; card data never touches our servers.
• Billing webhooks are signature-verified and deduplicated before being applied.

Data minimisation

• Anonymous voting works without an account; vote dedupe uses a one-way hash rather than storing raw IP addresses alongside votes.
• Voter emails are optional, used only for ship notifications, and every email has a one-click unsubscribe.
• AI features send only the request text needed for the task (categorization, dedupe, drafting) to Anthropic, and only when a workspace actively uses them. No model training on your data.

Disclosure

Found a vulnerability? Email support@masmstudios.com — we read every report, will respond as fast as we can, and won't take legal action against good-faith research.