Security & Privacy
Your Home Assistant credentials and data are protected by multiple layers of security. We cannot access your Home Assistant instance, even as the developers.
Security Overview
CasaBoard is designed with privacy and security as core principles. We believe that your smart home data should remain private and that you should have complete control over your Home Assistant instance.
What We Protect
- Your Home Assistant access tokens
- Your Home Assistant URL and credentials
- Your dashboard configurations
- Your personal data and preferences
What We Cannot Access
- Your Home Assistant instance directly
- Your smart home devices or their data
- Your Home Assistant logs or history
- Any data outside of CasaBoard
Technical Security Measures
End-to-End Encryption
Your Home Assistant credentials are encrypted using industry-standard AES-GCM encryption with 256-bit keys before being stored in our database.
Encryption Details:
- • Algorithm: AES-GCM 256-bit
- • Key Derivation: PBKDF2 with 100,000 iterations
- • Hash Function: SHA-256
- • Random IV for each encryption
Key Security:
- • Keys derived from your user data
- • Unique session identifiers
- • Cannot be decrypted without your account
- • Web Crypto API (browser-native)
Database Security with Supabase
Our database is powered by Supabase (built on PostgreSQL) and uses Row Level Security (RLS) to ensure that you can only access your own data. RLS is enforced at the database level, meaning even if someone gained direct database access, they could only see their own records.
Supabase RLS Policies:
- • Database-level access control
- • User-specific data isolation
- • No admin bypass mechanisms
- • Automatic user filtering on all queries
- • Policy:
auth.uid() = user_id
Data Protection:
- • Encrypted at rest in database
- • No plaintext credential storage
- • Automatic data cleanup on account deletion
- • Regular security audits
- • Supabase's enterprise security
How RLS Works:
Every database query automatically includes a filter like WHERE auth.uid() = user_id. This means even if we tried to query all users' data, the database would only return records belonging to the authenticated user. This protection is built into the database itself.
Authentication & Authorization
Every request to your data requires valid authentication. We use Supabase Authfor secure user management and session handling, which provides enterprise-grade security and is trusted by thousands of applications worldwide.
Supabase Authentication:
- • Industry-standard JWT tokens
- • Secure session management
- • Automatic token refresh
- • Multi-factor authentication support
- • OAuth providers (Google, GitHub, etc.)
- • Password reset and email verification
Authorization & RLS:
- • Every API call requires valid user session
- • User ID verification on all operations
- • No cross-user data access possible
- • Middleware protection on all routes
Developer Access & Transparency
We Cannot Access Your Data
As the developers of CasaBoard, we have implemented multiple security layers that prevent us from accessing your Home Assistant instance or credentials, even if we wanted to.
What We Cannot Do:
- • Access your Home Assistant credentials
- • Decrypt your stored tokens
- • Bypass authentication systems
- • Access your HA instance directly
- • See other users' data
Technical Barriers:
- • User-specific encryption keys
- • Supabase Row Level Security policies
- • No admin bypass mechanisms
- • No service account access
- • No backdoor access patterns
- • Supabase's built-in access controls
What We Can See (Limited)
For debugging and support purposes, we can only see:
- • Encrypted data structure - We can see that encrypted data exists, but not its contents
- • Error logs - To help troubleshoot issues (no sensitive data included)
- • Usage statistics - Anonymous analytics to improve the service
- • Account information - Basic account details for support (email, subscription status)
How Your Data Flows
Initial Setup
When you connect your Home Assistant instance, your credentials are encrypted using your unique user data and stored in our database. The encryption key is derived from your account information and cannot be recreated by anyone else.
Daily Usage
When you use CasaBoard, your encrypted credentials are retrieved from the database, decrypted using your account-specific key, and used to communicate with your Home Assistant instance. The decrypted data never leaves your browser session.
Data Storage
All sensitive data is encrypted before being stored. Your dashboard configurations and preferences are also protected, though they don't contain sensitive credentials.
Powered by Supabase Security
Enterprise-Grade Infrastructure
CasaBoard is built on Supabase, a trusted platform used by thousands of applications worldwide. Supabase provides enterprise-grade security, compliance, and infrastructure that we leverage to protect your data.
Authentication
- • JWT-based authentication
- • OAuth providers (Google, GitHub)
- • Multi-factor authentication
- • Secure session management
Database Security
- • PostgreSQL with RLS
- • Encrypted connections (TLS)
- • Automatic backups
- • Point-in-time recovery
Infrastructure
- • AWS infrastructure
- • SOC 2 Type II compliant
- • GDPR compliant
- • Regular security audits
Security Standards & Compliance
Security Standards
- • AES-GCM encryption (FIPS 140-2 compliant)
- • PBKDF2 key derivation (OWASP recommended)
- • Web Crypto API (W3C standard)
- • HTTPS everywhere (TLS 1.2+)
- • Secure session management
Best Practices
- • Principle of least privilege
- • Defense in depth
- • Regular security audits
- • No hardcoded secrets
- • Secure development lifecycle
Questions or Concerns?
We understand that security and privacy are paramount when it comes to your smart home. If you have any questions about our security measures or would like more technical details, please don't hesitate to reach out.
Last updated: November 4, 2025
This security documentation is regularly reviewed and updated to reflect our current practices.