Infrastructure
Motixi runs on Vercel (frontend / edge) and Supabase (Postgres database, object storage, edge functions). All traffic is over TLS 1.3. Static asset delivery is fronted by Vercel's global CDN.
Authentication
Accounts use short-lived (15-minute) JWT access tokens with refresh-token rotation. Passwords are hashed with bcrypt. The platform admin surface is gated behind an explicit role check on every request.
Headers and isolation
Pages ship a strict per-request Content-Security-Policy with nonce-bound script-src + strict-dynamic, HSTS with a two-year max-age, frame-ancestors none, and Permissions- Policy disabling features we don't use (camera, mic, payment, geolocation, etc.).
Data handling
See the Privacy Notice for what we collect, what we use it for, and how to ask for deletion.
Reporting a vulnerability
If you've found something that looks like a security issue, email us at petrov.cpay@gmail.com with a clear subject line. We'll respond within 72 hours and coordinate disclosure with you.
We don't currently run a paid bug-bounty programme, but we credit reporters who follow responsible disclosure in this page.
A formal security overview (SOC 2 status, sub-processor list, DPA template) is in preparation and will live here.