How we run the site.

The site runs on Lovable Cloud, with HTTPS-only access and modern ciphers. Application code is server-side rendered; the database is Postgres with row-level security on every table.

Triage tool

The triage runs entirely in your browser. No personally identifying information is sent server-side. If anonymized telemetry is enabled, it carries the path of choices and an optional state code only.

Vulnerability disclosure

Report security issues to security@hackfirstaid.com. We will acknowledge within two business days and credit reporters on request.

Customer data

Subscriber contact information, family-template drafts, and tabletop notes are stored in our Postgres database with row-level security limiting access to the district that owns the data and our incident-response team.