Security model
Sipura follows a local-first architecture for private archive material. Private recordings, transcripts, notes, and story structure stay on-device unless a user explicitly invokes a cloud-backed feature such as publishing, backup, AI processing, or collaboration.
Public publishing boundary
- Publishing is an explicit export step.
- Public pages render from sanitized publish snapshots.
- Unlisted pages are excluded from indexing intent but remain reachable by direct URL.
- Republishing updates the public-safe snapshot, not the full private archive.
Infrastructure providers
- Supabase for backend data services and authentication infrastructure.
- OpenAI for AI-assisted processing where a user invokes AI features.
- RevenueCat for subscription entitlement handling where billing is enabled.
- Sentry for crash monitoring when enabled in the product stack.
Security contact
For security or abuse reports, contact contact@glasrocks.com. Include the affected URL, screenshots, and any reproduction details that can help verify the issue quickly.