01 / Security
Folio holds the work that represents you, so protecting it is a first-class concern, not an afterthought. We encrypt your data, gate the most sensitive controls behind passkeys, and keep customers isolated from one another by default. Below is a plain account of how we do it and how to reach us if you find something we missed.
02 / Practices
These are the controls we run today. They are layered, so a gap in any one of them does not expose your account on its own.
Encryption
Traffic to Folio is served over HTTPS, with TLS terminated and certificates managed automatically at our edge. Your account data lives in managed Postgres and your uploads in object storage, both encrypted at rest by the provider.
Authentication
Sign in with a passkey, Google, or an email link through Better Auth. Elevated super-admin access is passkey-only, so the most sensitive controls cannot be reached with a password alone.
Tenant isolation
Folio is multi-tenant by design. Every request is scoped to its tenant, and data access is filtered by tenant on the server so one customer can never read or write another customer content.
Infrastructure
The application, database, and supporting services run on managed cloud infrastructure. Database roles are provisioned with least-privilege grants, and secrets are injected from the environment rather than committed to the repository.
Hardening
We run a Content Security Policy, rate limiting on sensitive endpoints, input validation and sanitization, and honeypot fields on public forms to blunt automated abuse before it reaches your data.
Monitoring
Administrative actions are recorded in an audit log protected with integrity checksums, and application errors flow to a self-hosted error monitor so we can detect and investigate issues quickly.
Privacy-respecting AI
Folio AI features run natively inside the product rather than calling out to third-party model providers. Your content is not sold and is not used to train external models.
03 / Compliance posture
We design and operate Folio against the kind of controls that formal frameworks ask for, and we are intentional about not claiming more than we have earned. Folio is not currently certified under SOC 2 or ISO 27001, and we do not represent the product as HIPAA compliant. Pursuing formal third-party attestations is on our roadmap, and we will publish them here when they are complete.
In the meantime, our data-handling commitments are written down. The documents below describe what we collect, how we process it on your behalf, who our subprocessors are, and how we approach accessibility.
04 / Responsible disclosure
We welcome reports from security researchers and act on them in good faith. The fastest way to reach us is email.
Report to
security@wrxstack.comPlease include a clear description, the steps to reproduce, and any proof-of-concept. If you can, share the affected URL and a rough assessment of impact.
If you make a good-faith effort to follow this policy, we will not pursue legal action against you for your research, and we will treat your report as authorized. In return, please give us a reasonable chance to fix the issue before disclosing it publicly, and please do not access, modify, or delete data that is not your own.
In scope
The Folio web application and its public APIs at portfolio.wrxstack.com and tenant workspaces under it.
Out of scope
Third-party services we depend on, social-engineering or phishing of our team or customers, and reports that are theoretical with no demonstrated impact.
Please do not run disruptive tests. No denial-of-service, no automated scanning that degrades the service, and no spam or large-volume requests against production.
05 / Report a vulnerability
Prefer not to email? Use the form below. It routes straight to our security inbox alongside the rest of our team triage.
Contact
Share what you found and how to reproduce it. Include the affected URL and any proof-of-concept, and we will follow up by email.
Talk to us
Whether you are reviewing Folio for your team or ready to build your portfolio, we are glad to help.