Security

• Application routes are protected server-side so unauthenticated users are redirected to sign in.
• Email/password accounts use strong password validation and bcrypt password hashing.
• OAuth sign-in can be enabled for providers such as Google and Apple through Auth.js.
• Sessions are managed with secure, HTTP-only authentication cookies through Auth.js.
• Sign-in and signup flows use generic error messages to reduce account enumeration risk.

• Server Actions and API routes validate inputs with Zod or typed server-side logic.
• Database queries are scoped by authenticated user IDs for user-owned notes, tags, topics, canvases, and exports.
• Pro-only features such as full AI features, additional canvas access, and exports are checked on the server.
• Rate limiting is applied to login and signup attempts using request fingerprints.
• Security events are logged with event type, timestamp, hashed IP-derived fingerprint, and user agent where available.

• The production deployment should run behind HTTPS with a valid TLS certificate.
• Security headers include Content Security Policy, Referrer-Policy, Permissions-Policy, X-Content-Type-Options, X-Frame-Options, and production HSTS.
• The current Content Security Policy allows the app, Google Analytics, OpenAI API calls, and required inline styles/scripts for the Next.js application.
• The app includes accessible focus states and avoids hidden navigation traps that could interfere with secure account flows.

• AI organization runs only after a user action, not automatically in the background.
• When AI is configured, relevant note content may be sent to the AI provider to complete the requested action.
• If no AI API key is configured, Underline uses mock responses instead of sending content to an external AI provider.
• AI output is treated as suggested content and should be reviewed by the user before relying on it.

• Stripe handles checkout, payment method collection, subscriptions, trials, invoices, and billing portal sessions.
• Underline stores Stripe customer and subscription identifiers, plan, status, price, and current-period metadata, but not full card numbers.
• Stripe webhook events are verified with the configured webhook secret before subscription state is synchronized.

Underline’s MVP does not yet include end-to-end encryption, customer-managed encryption keys, enterprise SSO enforcement, SCIM, formal SOC 2 or ISO 27001 reports, audit log exports, granular workspace roles, or dedicated data residency controls. Do not store highly regulated data such as protected health information, payment card numbers, government secrets, or other information that requires specialized compliance controls unless a written agreement says otherwise.

If you believe you found a vulnerability, please report it promptly and avoid accessing, modifying, or deleting data that is not yours. Include a clear description, affected URLs, reproduction steps, and impact. Security reports can be sent to security@useunderline.app.