Security Policy

• Data is encrypted in transit (HTTPS) and at rest by our infrastructure providers.
• Authentication is handled by a dedicated provider (Clerk); we don't store passwords ourselves.
• The database enforces row-level security so accounts can only read and write their own data.
• Privileged operations run server-side with least-privilege credentials that are never exposed to the browser.
• Secrets and API keys are kept in server-side environment variables, never shipped to the client.
• We apply security headers (such as X-Content-Type-Options, X-Frame-Options, and Referrer-Policy) and rate-limit expensive endpoints to prevent abuse.

No system is perfectly secure. We work to reduce risk, and responsible reports help us do that.

If you believe you’ve found a security vulnerability, please email techspacewizard@gmail.com with the subject “Security report.” Please don’t disclose the issue publicly until we’ve had a reasonable chance to address it.

Helpful reports include:

• A clear description of the issue and its potential impact.
• Steps to reproduce it (a proof of concept is welcome).
• The affected URL, page, or endpoint.

We’ll acknowledge your report, keep you updated on our progress, and let you know when it’s resolved.

In scope: the Nihongo Circle website at https://nihongocircle.com and its subdomains.

Out of scope: the systems of our third-party providers (Clerk, Supabase, Vercel, Microsoft Azure, Cloudflare — please report those to the provider directly), denial-of-service attacks, volumetric testing, social engineering, and physical attacks.

We won’t pursue or support legal action against researchers who, in good faith:

• Make a genuine effort to avoid privacy violations, data loss, and service disruption.
• Only interact with accounts they own or have explicit permission to test, and never access, modify, or delete other users' data.
• Don't run denial-of-service tests or automated scanning that degrades the Service.
• Give us reasonable time to fix an issue before disclosing it publicly.

Activity consistent with these guidelines is considered authorised. If in doubt, ask us first.

Nihongo Circleis a free, independent project, so we don’t currently offer a paid bug-bounty. We’re glad to credit researchers who report valid issues, if you’d like the acknowledgement.