Security

Your data is isolated at the database level

Every query to SottoWrite’s database passes through Row Level Security — a feature of PostgreSQL, the same open-source database engine trusted by Apple, Instagram, and Spotify. Access rules aren’t just application logic that could have bugs — they’re enforced by the database itself.

In plain terms: another user can’t access your script even if they craft a direct request to our API. The database simply won’t return it.

Encrypted everywhere

Your data is encrypted in transit using TLS — the same protocol that protects online banking — and at rest using AES-256 encryption on our infrastructure. There is no point at which your screenplay sits unprotected on a server.

We never see your password

Authentication is handled by Supabase Auth, a dedicated identity platform used by hundreds of thousands of applications. Your password is hashed and stored by their system — it never passes through SottoWrite’s code. This is the same separation-of-concerns approach used by apps that rely on Auth0, Firebase Auth, and similar platforms.

We never touch your credit card

Payments are processed entirely by Stripe, which handles payments for Amazon, Google, Shopify, and millions of other businesses. Your card number never reaches our servers — not even briefly. Stripe is certified to the highest level of payment security compliance (PCI DSS Level 1), and we verify every payment notification cryptographically to prevent tampering.

Collaboration is continuously verified

When you share a script, only the people you explicitly invite can access it. Every connection to our real-time collaboration server requires a verified identity token, and we re-check permissions every 15 seconds — so if you revoke someone’s access, they’re disconnected promptly.

The collaboration server also validates the origin of every connection to prevent cross-site attacks, and caps editors at 5 per document to prevent abuse.

Your work is versioned and recoverable

SottoWrite automatically creates version snapshots as you write, so you can recover earlier versions of your script. When you delete a script, it moves to trash first — giving you a window to change your mind before anything is permanently removed.

Built on trusted infrastructure

SottoWrite runs on Vercel, Supabase, and Fly.io — the same cloud platforms used by thousands of production applications worldwide. We chose this stack specifically because each layer is maintained by dedicated security teams, and their infrastructure is battle-tested at a scale we benefit from directly.

What we don’t do

• — We don’t sell your data
• — We don’t train AI on your scripts
• — We don’t read your screenplays
• — We don’t share your information with third parties beyond what’s needed to run the service

Questions?

If you have questions about how we protect your work, reach out to hello@sottowrite.com. We’re real people and we’ll get back to you.