Reporting a vulnerability

We welcome reports of security issues. Email hi@kfc.ma with steps to reproduce. We aim to acknowledge within 72 hours and to keep you updated while we investigate and fix. Please give us a reasonable window to remediate before any public disclosure, and avoid accessing or modifying data that is not your own while testing.

There is no paid bug bounty at this time, but we credit reporters who want recognition. Our machine-readable contact details follow RFC 9116.

How your data is handled

• Application data is stored in Neon Postgres in the EU (AWS eu-west-2, London).
• Decision-room content is sent to Anthropic's API only to generate the synthesis, and is never used to train models.
• Authentication uses first-party, HTTP-only cookies. No tracking cookies, no third-party analytics.
• Request logs (IP, user agent, timestamp) are retained for 30 days, then deleted.
• The Slack app requests only the commands scope — it cannot read messages, channels, or files.

See the privacy policy for the full account.