Draft — pending legal review.

This document is not yet attorney-reviewed. It's published so visitors aren't met with a 404, and so you can see the direction we're going. It will be replaced with counsel- approved language before onboarding paid campaigns.

//Security

How we protect campaign data.

Last updated · April 20, 2026

Campaign data is sensitive. Voter files are licensed under strict terms. SMS and email outreach is regulated. Donation flows pass through PCI-scope infrastructure. We take this seriously.

Architecture

Culper is built on Supabase (hosted Postgres) and Vercel (web hosting). Every campaign-scoped table has an explicit campaign_id column and a Row-Level Security policy that enforces membership before a row can be read or written. RLS is the last line of defense; application-level checks also filter every query.

No campaign can read another campaign's data. Platform administrators at Culper have an explicit role gate and their actions are audit-logged to a separate table.

Authentication

We use Supabase Auth with magic-link sign-in. No passwords are stored on our side for standard users. Session cookies are HttpOnly, Secure, and SameSite=Lax. Middleware refreshes sessions on each request against protected routes.

Encryption

All traffic to theculpernetwork.com is served over HTTPS/TLS. Data at rest in Supabase-hosted Postgres is encrypted using AES-256. Object storage uploads (voter CSVs in transit during import) are encrypted in transit and at rest.

LLM query safety

The natural-language query feature does not pass voter rows to the language model. The model emits a constrained JSON grammar (DSL) describing filters. A server-side validator checks the DSL against an allowlist of fields and operators, then compiles it to parameterized SQL scoped to the requesting campaign. Every prompt plus its compiled DSL and row count is logged for audit.

Subprocessors

We depend on the following third parties. Each carries its own security posture; we encourage you to review theirs if you are responsible for vendor risk at your committee.

  • Supabase — Postgres, Auth, Storage. SOC 2 Type II.
  • Vercel — Web hosting. SOC 2 Type II.
  • Stripe — Payments. PCI DSS Level 1.
  • Twilio — SMS delivery. ISO 27001.
  • SendGrid (Twilio) — Email delivery. SOC 2 Type II.
  • Anthropic — LLM API for query translation. SOC 2 Type II; voter rows are not transmitted.

Compliance posture

  • TCPA — consent logged at the source; global opt- out list enforced campaign-agnostically; STOP keywords honored automatically via Twilio inbound webhook.
  • A2P 10DLC — every campaign that sends SMS registers a TCR political campaign brand through our wizard before messaging is enabled.
  • PCI DSS — we never touch card numbers; payments are handled entirely in Stripe's PCI-compliant flow via Stripe Connect.
  • SOC 2 — architecture is SOC-aware. A formal audit has not yet been completed. We're transparent about that posture rather than overclaiming.

Incident response

If we identify a security incident affecting customer data, we'll notify affected customers without undue delay, typically within 72 hours of confirmation, and provide the details we have. We'll work with you on remediation.

Reporting vulnerabilities

If you find a security issue in Culper, please report it to security@theculpernetwork.com. We appreciate responsible disclosure — please give us a reasonable window to investigate and fix before publishing details.