SlopWeaver

Security

How I protect your data (and what risks remain)

SlopWeaver accesses your email, Slack messages, and Linear issues. That's sensitive data, and granting access to any third-party app is a risk. Here's what I do to minimize that risk, and what you should know before connecting your accounts.

The Honest Risk

When you connect Gmail, Slack, or Linear, you're trusting a solo developer with access to your communications. That's a real tradeoff. I'm a DevSecOps engineer by trade, so I know how to build secure systems—but I don't have a security team or formal audits. If that's a dealbreaker for your risk tolerance, I understand.

You can revoke access anytime from your integration settings. SlopWeaver immediately stops syncing and deletes stored tokens.

Infrastructure Security

The infrastructure is designed with defense-in-depth principles:

Encrypted DatabaseAll data is hosted on Supabase's secure PostgreSQL infrastructure with automatic encryption at rest using AES-256.
TLS Encryption in TransitAll connections use TLS 1.3 encryption. No data is ever transmitted in plain text between your browser, SlopWeaver's servers, or third-party services.
Encrypted OAuth TokensOAuth tokens for Gmail, Slack, and Linear are encrypted using AES-256 before storage. Even if the database were compromised, tokens would be unusable.
Row-Level SecurityMulti-tenant architecture with Row-Level Security (RLS) policies ensures users can only access their own data. Database queries are physically isolated at the row level.

AI Security

SlopWeaver uses AI to power suggestions. Here's how your data interacts with AI systems:

  • Anthropic (Claude) and OpenAI APIs with data processing agreements that prohibit model training on your data
  • Your messages are sent to AI providers only when generating suggestions—never stored by AI providers
  • AI-generated content is clearly labeled and never sent without your explicit approval
  • Prompt injection protections prevent malicious content from manipulating AI behavior

Authentication & Access

Multiple layers of access control:

  • Supabase Auth with secure session management and automatic token rotation
  • OAuth 2.0 with PKCE for third-party integrations (no passwords stored)
  • Rate limiting on all API endpoints to prevent abuse
  • CORS policies restrict API access to authorized domains only

Data Handling

You maintain control over your data at all times:

Message PrivacyAll synced messages are indexed for search but never shared between users or used to train AI models.
Integration RevocationRevoke integration access anytime from Settings. Stored tokens are immediately deleted and syncing stops.
Account DeletionDelete your account and all associated data at any time. Deletion is permanent within 30 days (90 days for backups).
Data ExportRequest a full export of your data in JSON format. Delivered within 7 business days.

Compliance

Current compliance status:

  • GDPR-compliant data handling for EU users
  • CCPA-compliant privacy practices for California residents
  • Built by a DevSecOps engineer who does this professionally
  • No formal certifications yet—this is a solo project in beta

Vulnerability Reporting

If you discover a security vulnerability, please report it to slopweaver.ai@gmail.com. I take all reports seriously and will respond within 48 hours.

No formal bug bounty program, but I'm happy to acknowledge researchers who report valid vulnerabilities (with your permission).

Questions?

If you have questions about security practices, contact me at slopweaver.ai@gmail.com.