FoodReport

Trust & Security

We take food-safety intelligence seriously — and we take protecting the people who rely on it just as seriously. This page describes the controls we have in place today. It is maintained by our team and is not an independent certification.

Data protection

All traffic to FoodReport is encrypted in transit with TLS.

User data is stored in a managed Postgres database with row-level security (RLS) policies that restrict each user to their own records. Administrative access is gated by role-based checks enforced server-side.

Backups and infrastructure are managed by our cloud provider (Supabase + Cloudflare) with provider-level redundancy.

Authentication & access

Sign-in uses email/password and Google OAuth. Sessions use short-lived tokens with automatic refresh.

Privileged actions (admin tools, scheduled jobs) require server-side role verification — they cannot be triggered from the browser by inspecting page source.

Internal cron jobs that refresh food-recall and incident data authenticate with a private secret never exposed to clients.

Data sources & privacy

Food-recall and incident data are aggregated from public regulatory sources (FDA, RASFF, FSA, CFIA, ANVISA, FSSAI, MFDS, MHLW, SAMR, FSANZ, and others). Source URLs and publication dates are preserved with each record.

We collect the minimum personal data required to operate accounts (email, optional profile name). We do not sell personal data.

Responsible disclosure

If you believe you've found a security issue, please email us before sharing details publicly. We aim to acknowledge reports within 5 business days.

security@foodreport.net

This page describes current practices and may evolve. It is not a third-party attestation or certification.