Infrastructure and sub-processors
share.env runs on a small, named set of providers, each under a data processing agreement:
- Supabase Postgres database, authentication, and encrypted file storage. Row Level Security policies run inside the database itself, so authorization holds even if application code has a bug.
- Vercel application hosting and edge network for the web app and API routes.
- A transactional email provider used only for invite and account emails.
How access is enforced
- Row Level Security is enabled on every table with no exceptions; the default is deny-all, and every operation needs an explicit policy.
- Workspace roles (owner, editor, viewer) are enforced by those database policies, not just hidden in the UI a missing button is UX, not a security boundary.
- Share links use cryptographically generated, high-entropy tokens, always carry an expiry, and can be revoked instantly.
- Password-protected environments layer a scrypt-hashed password with TOTP or a passkey, and optionally a workspace-issued Access Key, before any content is returned.
Data protection
File contents are encrypted at rest in Supabase Storage. We don't log the contents of your .env files or access tokens in application logs, error trackers, or analytics.
Compliance status
share.env is an early-stage product. We haven't pursued SOC 2 or ISO 27001 certification yet, and we won't claim we have. What we do have is enforced from day one: database-level RLS, encryption at rest, and least-privilege use of service-role credentials. We'll update this page if that changes.
Reporting a vulnerability
If you find a security issue, email kpzsproductionscontact@gmail.com with details and, if possible, steps to reproduce. We don't yet run a paid bug bounty program, but we will acknowledge reports, fix confirmed issues promptly, and credit reporters who want credit.
Please don't test against other users' data or workspaces you don't own; use your own account and environments.