Trust & Security

Every database table enforces row-level security (RLS). Members can only read and write rows that belong to them; counsellors only see clients explicitly assigned to them; admin-only data is gated behind a dedicated is_admin() check rather than client-side flags.

• Roles live in a separate user_roles table — never on the user profile.
• Promotion to admin requires a sovereign admin and is logged in role_history.
• Answer keys for certification and literacy quizzes are blocked from client reads by a restrictive deny policy; scoring happens server-side.
• Invitation details (admin notes, target role) are served through a minimal SECURITY DEFINER function — invitees never read the underlying row.

Transactional and welcome emails are sent only by the server. The endpoints require a valid signed-in session, enforce a template allowlist, and verify that the recipient address matches the authenticated caller (or that the caller is an admin).

• Users cannot send arbitrary emails through the platform on someone else's behalf.
• System notifications and badges are inserted by server-side code only — members cannot self-award badges or create system notifications.
• Internal email-queue helpers are restricted to the service role; the client cannot enqueue, read, or move queue messages.
• One-click unsubscribe is available on every transactional email.

Scheduled jobs (such as trash purge and email-queue processing) run as public endpoints under /api/public/* and authenticate every request:

• Cron callers must present a shared secret in the Authorization header.
• Secrets are compared in constant time to prevent timing attacks.
• Email-queue processing authenticates via a vault-stored service-role key, rotated automatically when platform keys change.
• Webhook handlers verify provider signatures before any privileged write.

If you believe you have found a vulnerability, please contact us at security@gcewwellness.ca. We appreciate responsible disclosure and will acknowledge reports within 5 business days.