This page is maintained by the operator of gpta.dev. It describes controls enabled on the app and is not an independent certification.
[ access control ]
- shared-passphrase site-gate on every non-public route
- separate admin passphrase required for admin dashboard
- encrypted, http-only, same-site session cookies (7-day ttl)
- timing-safe passphrase comparison (sha-256 digest compare)
[ transport & storage ]
- tls 1.2+ for all traffic; hsts enforced by host
- row-level security enabled on every user-data table
- service-role credentials never shipped to the browser
- secrets stored in encrypted secret store; never in source
[ hardening ]
- no third-party analytics or trackers
- minimal public surface: 4 static pages, 1 login endpoint
- rate-limited login with server-side delay on failure
- content-security via same-origin defaults
[ what we don't do ]
GPTA does not claim SOC 2, ISO 27001, HIPAA, PCI DSS, or GDPR certification. It is a personal / small-team tool. Do not use it to process regulated data unless you have your own compliance program.
[ responsible disclosure ]
Found a vulnerability? Please email security@gpta.dev with steps to reproduce. Do not disclose publicly until a fix has shipped. No bounty is offered, but credit is available on request.