Security

Wafeed takes data security seriously. This page outlines the technical and operational measures we use to protect business and customer data. It is intended to be transparent about how we approach security — not as a guarantee of perfect security.

• Passwords are never stored in plaintext. Authentication is handled by Supabase Auth, which stores password hashes using a secure hashing algorithm.
• All dashboard pages require an authenticated session.
• Session tokens are stored securely and expire after a period of inactivity.
• Email verification is required to activate a new account.

Wafeed uses a role hierarchy to restrict access:

• Standard users can only access their own business data.
• Admin users can manage platform users, businesses, and subscriptions.
• Super-admin users can manage admin accounts and system settings.
• Admins cannot modify other super-admin accounts — this is enforced server-side.

All admin actions are recorded in an audit log.

All database tables use Supabase's Row Level Security (RLS) policies. This means:

• Each business user can only read and write their own data — data from other businesses is inaccessible at the database level.
• Public read policies (for feedback pages) only expose data for active businesses and active links.
• API routes that use the Supabase admin client are server-side only and protected with server-side authentication checks.

All communication between your browser and the Wafeed service is encrypted using HTTPS (TLS). This applies to:

• The dashboard and all authenticated pages.
• Public feedback submission pages.
• API routes used for data export and feedback processing.

• API keys, database credentials, SMTP passwords, and other secrets are stored as environment variables — never in source code or client-side bundles.
• The Supabase service role key (admin-level database access) is only used server-side.
• Public environment variables (NEXT_PUBLIC_*) contain only information safe to expose in the browser (e.g. Supabase project URL, anon key).

Default platform SMTP credentials are stored server-side as environment variables. They are never exposed to the browser or included in client bundles.

Custom SMTP: Business plan users may configure their own SMTP credentials. Custom SMTP password storage requires encrypted storage at the database level. This feature is only made available when secure credential storage is supported. You are responsible for the security of your own SMTP credentials and for setting up proper email authentication (SPF, DKIM, DMARC) on your domain.

• Customer IP addresses are hashed with a secret salt before storage — raw IPs are never stored in readable form.
• Public feedback forms include honeypot fields to detect automated bot submissions.
• Feedback submission rate limits are enforced per business account.

All CSV exports apply formula injection protection: cell values beginning with characters that could be interpreted as spreadsheet formulas (=, +, -, @) are prefixed to neutralise them. This prevents malicious content in feedback comments from executing as formulas when the CSV is opened in a spreadsheet application.

Database backups depend on the configuration of the Supabase project. Supabase provides point-in-time recovery and automated backups on paid plans. We recommend maintaining your own data exports via the CSV export feature on supported plans.

If you discover a security vulnerability in Wafeed, we ask that you report it to us responsibly rather than publicly disclosing it. Please:

• Do not access, modify, or delete data that does not belong to you.
• Do not exploit the vulnerability beyond what is necessary to demonstrate it.
• Report your findings to us as soon as possible.

Report vulnerabilities by email to support@wafeed.co.

We aim to acknowledge security reports within 3 business days and to provide an initial assessment within 7 business days. We do not currently offer a bug bounty programme, but we will credit responsible disclosures if you wish.

For security questions or vulnerability reports, contact us via the contact page or directly at support@wafeed.co.