Security

User accounts are authenticated via passwordless magic-link email or Google OAuth, both managed by BetterAuth. We never store passwords. Sessions are HTTP-only signed cookies, 7-day rolling, invalidated server-side on logout. Magic-link tokens expire after 24 hours and are single-use.

Public-API keys (lspai_live_…) are 32 random bytes encoded in base64url, generated server-side with the Node crypto.randomBytes CSPRNG. We store only the SHA-256 hash and a 15-character display prefix; the raw key is shown to the user once at creation and never again. Revoked keys flip a revokedAt timestamp; the hash is retained for audit-trail purposes but cannot authenticate any subsequent request.

Brute-force attempts are throttled at 10 failed authentications per minute per IP, with a 100 ms artificial delay on every 401 to blunt enumeration.

All connections to the Service use TLS 1.3 with HSTS enabled. The managed Postgres database storing user, audit, subscription, and API key data is encrypted at rest with AES-256. Backups are encrypted with per-backup keys. Redis (queue + rate-limit state) is operated over an authenticated TLS connection; no audit content is persisted in Redis, only job metadata and short-lived counters.

The audit pipeline sends specific data slices to specific providers, on demand only:

• Anthropic (Claude):page text content (truncated to ~8 000 chars per page) plus targeted prompt envelopes for the 12 semantic GEO criteria. One batched API call per page. We use Claude Haiku by default to bound cost.
• OpenAI / Perplexity (competitor detection only): short question-style prompts derived from the keywords and themes already extracted in the previous Claude step. We never send raw page content to OpenAI or Perplexity.
• Google PageSpeed Insights: the audited page URL. Nothing else.

None of these providers receive your account credentials, billing information, or GitHub tokens. We do not opt in to provider training on our requests where the provider exposes a setting; on Anthropic and OpenAI commercial APIs, training-on-request is opt-out by default.

When you connect a GitHub repository for autofix, LightSpot stores a short-lived OAuth access token issued by GitHub. The token is encrypted at rest, scoped to the repositories you authorized, and used solely to clone the repo (shallow, depth=1) and open draft pull requests.

Cloning happens in an isolated temp directory on the worker, which is deleted at the end of each fix job. We do not retain the source code after the PR is opened; the canonical copy lives on your GitHub remote.

Provider API keys (Anthropic, OpenAI, Perplexity, Stripe, Resend) are stored as environment variables in our hosting provider's secret store, not in source control. Access to production secrets is limited to the founding team. CI builds use scoped secrets per environment.

Application logs capture request method, path, status code, source IP, and an internal request ID. We never log Authorization headers, cookies, raw API keys, or audit content. Logs are retained for up to 30 days for security and debugging.

The platform is multi-tenant at the application layer. Every database read and write is scoped by userId or by an ownership check inside the handler. Public report links use unguessable share tokens.

We aim to acknowledge security reports within 24 hours and to provide a full assessment within 5 business days. We will notify affected customers without undue delay if a confirmed personal-data breach is likely to result in a risk to their rights and freedoms (GDPR art. 33 / 34 timelines).

To report a vulnerability: security@lightspot.ai. We do not currently run a paid bug-bounty program but we credit responsible disclosures publicly with permission.

LightSpot is not currently SOC 2 or ISO 27001 certified. We follow the OWASP Application Security Verification Standard at level 2 as our internal baseline and run static analysis on every commit. Enterprise customers can request our security questionnaire and Data Processing Addendum at security@lightspot.ai.