Security posture

Authentication is handled through the application and the Supabase auth stack. Access-sensitive mutations run on the server, not only in the browser.

Organization data is scoped by tenant boundaries. Community orgs, membership, invites, verification requests, and issue participation are separated by role and organization context.

Resident verification, join requests, and moderation actions all use backend enforcement paths. Users cannot become verified or gain access by changing only the client UI.

This repository does not claim formal compliance certification, independent audit status, or a universal legal guarantee of security.

If a municipality requires a specific security questionnaire, hosted deployment review, or third-party assessment, that process still needs to be completed separately.

Any external data provider, email provider, or hosting platform has its own operational settings that must be reviewed by the operator before launch.

High-risk routes are protected with server-side access checks. Admin-only analysis, settings, resident review, and moderation surfaces are not intended for citizen access.

The application distinguishes between public marketing pages and authenticated workspace surfaces. Sensitive pages are not exposed as anonymous write endpoints.

Sensitive user data such as address and resident verification material is kept in private workflows rather than in general public profile surfaces.

If you believe you have found a security vulnerability, report it to support@forocivic.com with a clear description and reproduction steps.

We will review reports promptly and work with municipalities or affected parties as appropriate.

If you are evaluating ForoCivic for a pilot or procurement review, request the current security questionnaire and deployment summary from the team before signing.