Security posture

Practical security boundaries for the widget and dashboard.

This page summarizes how GSBKit handles architecture, data collection, billing boundaries, dependencies, and current limitations for technical and government IT review.

Architecture

GSBKit is a hosted Next.js application with a small public widget delivered from gsbkit.com and a Supabase-backed authenticated dashboard.

The widget is designed to fail silently if the network, API, or host page blocks it, so customer pages keep rendering.

Site ownership, dashboard access, and event history are scoped through Supabase Auth and row-level security policies.

Widget Data Handling

The public widget sends anonymous feature events such as load, open, tool selected, language selected, and profile action.

Widget event payloads are tied to a site ID and page URL context, not visitor names, emails, phone numbers, payment data, or form field values.

Visitor preferences for the widget are stored locally in the browser where possible.

Dashboard and Billing Boundaries

Account records, site settings, plan state, and dashboard analytics require authenticated access.

Stripe handles checkout, invoices, subscriptions, payment method updates, and cancellation flows. GSBKit does not store raw card data.

Server-only routes handle privileged Supabase and Stripe operations. Service-role keys are not sent to browser code.

Dependency and Release Policy

The widget bundle is rebuilt from source with the release process and is kept under 25KB for compressed public transfer.

Production changes run typecheck, lint, widget build, accessibility audits, and Next.js production build before deployment.

Dependency warnings are tracked as quality work; security-impacting updates should be prioritized when they affect production paths.

Current limitations

These limits are intentionally public so buyers can review GSBKit honestly and request the right evidence during procurement.

SOC 2 is not in place yet; it remains future work when revenue justifies the audit cost.
Live assistive-technology testing across multiple screen readers is still a deeper follow-up.
Customer websites and customer-created content are outside GSBKit control and need their own review.
The widget is an access-support layer, not a replacement for secure application code or human review.

Security contact

Report security concerns to security@gsbkit.com. Do not send secrets or sensitive customer data through email unless a secure intake path has been arranged.