Security

Articles are delivered to your site through a secure ingest endpoint that you install. It is built to be safe by design:

• API-key authentication: every delivery must present a secret key in an Authorization header, checked with a constant-time comparison.
• Unguessable URL: the endpoint lives behind a high-entropy random path, so it cannot be discovered by scanning. Treat the full URL as a secret.
• Hash-only key storage: we store only a hash of your delivery key, never the key itself.
• Strict validation: malformed or unauthenticated requests are rejected.
• Replay protection: deliveries are idempotent, so a repeated push cannot double-publish.
• No personal data: delivery payloads contain article content and metadata only.

• Authentication is handled by Supabase Auth, with email and Google sign-in.
• Row-Level Security isolates every workspace, so you can only access your own data.
• Secrets and service keys are kept server-side and never exposed to the browser.
• Billing is handled by Dodo Payments. We never see or store your card details.

Every article is reviewed by a human before delivery. Our generation rules forbid fake statistics, invented claims, and unsupported promises, which protects the reputation of the domain it gets published on.

Found a vulnerability? We want to hear from you. Email security@taploon.com with the details and we will respond quickly. Please give us reasonable time to fix an issue before disclosing it publicly.