← Space Field

Legal

Policies, agreements, and the things you should know.

Heads-up: This document is awaiting independent legal review. Provided in good faith; not legal advice.

Trust & security

Space Field is built by a small team operating from the UAE. We treat security as table-stakes engineering, not a feature. This page is a plain-English summary of what we do today and what we're actively working on.

What we do today

  • TLS 1.3 on every connection. HSTS enforced (max-age 2 years, includeSubDomains, preload).
  • Row-Level Security on multi-tenant tables. Workspace isolation enforced at the database layer, not just app code.
  • Role-based access control for the admin panel with per-route permission gates and a full audit log.
  • Rate limiting + IP rules on the edge, with admin controls for blocking specific addresses and customising per-route limits.
  • Security headers on every response: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and a Content-Security-Policy (report-only while we tune it).
  • Cookies are Secure + HttpOnly + SameSite=Lax for session tokens.
  • Encrypted at rest — Supabase storage and database are encrypted with AES-256.
  • Daily backups with point-in-time recovery on the database.
  • Webhook signatures verified on incoming Paddle calls; outbound webhooks are HMAC-signed.

What we're working on

  • Third-party penetration test before our public launch.
  • External error tracking (Sentry) with source-mapped releases.
  • Synthetic monitoring + public uptime page on status.spacefield.co.
  • SOC 2 Type 1 readiness (Drata or Vanta as the control plane).
  • MFA / 2FA opt-in for end users (already planned for admins).
  • Documented incident-response and breach-notification runbooks.

Subprocessors & data flow

See the Subprocessors page for the full list of third parties involved in serving the platform. Customer data is stored on Supabase infrastructure in the European Union with global edge caching via Vercel.

Responsible disclosure

If you believe you've found a security issue, please email security@spacefield.co. We aim to acknowledge within 72 hours and resolve verified issues promptly. Please give us reasonable time to fix before public disclosure. Our machine-readable contact info lives at /.well-known/security.txt.

We do not yet run a paid bug bounty program. Notable researchers may be acknowledged in the hall of fame below (with consent).

Hall of fame

Once we receive valid reports, names go here. Empty for now.

Questions

Enterprise security questionnaires: security@spacefield.co.