Trust & Security
We take food-safety intelligence seriously — and we take protecting the people who rely on it just as seriously. This page describes the controls we have in place today. It is maintained by our team and is not an independent certification.
All traffic to FoodReport is encrypted in transit with TLS.
User data is stored in a managed Postgres database with row-level security (RLS) policies that restrict each user to their own records. Administrative access is gated by role-based checks enforced server-side.
Backups and infrastructure are managed by our cloud provider (Supabase + Cloudflare) with provider-level redundancy.
Sign-in uses email/password and Google OAuth. Sessions use short-lived tokens with automatic refresh.
Privileged actions (admin tools, scheduled jobs) require server-side role verification — they cannot be triggered from the browser by inspecting page source.
Internal cron jobs that refresh food-recall and incident data authenticate with a private secret never exposed to clients.
Food-recall and incident data are aggregated from public regulatory sources (FDA, RASFF, FSA, CFIA, ANVISA, FSSAI, MFDS, MHLW, SAMR, FSANZ, and others). Source URLs and publication dates are preserved with each record.
We collect the minimum personal data required to operate accounts (email, optional profile name). We do not sell personal data.
If you believe you've found a security issue, please email us before sharing details publicly. We aim to acknowledge reports within 5 business days.
This page describes current practices and may evolve. It is not a third-party attestation or certification.