My buyer asked if my app is secure. What do I say?
Don't wing it. Send a written answer with: (1) what data you hold and where, (2) three specific controls (RLS, auth, rate limits), (3) one line about an external security review and when it ran, (4) a link to your security.txt. Buyers are not looking for perfect — they want you to have thought about it and show your work.
Buyers ask this during procurement, diligence, and security review. A prepared answer is worth five minutes of thought.
The four-paragraph email that usually closes it:
Paragraph 1: What data you hold, where. Example: 'We hold email, name, payment method on Stripe, and user-generated content on Supabase. No SSN, no health data, no EU-specific sensitive categories. Data lives in us-east-1 Supabase and Stripe US.'
Paragraph 2: Three specific controls. Example: 'Authentication is via Supabase Auth with email+password. All tables have Row-Level-Security enforcing tenant isolation. Rate limits on auth endpoints. No service-role keys in client code.'
Paragraph 3: The review + when it ran. Example: 'We ran a third-party security review (Securie) on [date]. Found 2 items, both fixed within 48 hours. Report available on request under NDA.'
Paragraph 4: Future posture. Example: 'On SOC 2 Type 1 track, targeting [quarter]. Will sign a DPA with enterprise customers. /.well-known/security.txt published for coordinated disclosure.'
This beats 'we take security seriously' and also beats 'we haven't looked into it' — both of which signal risk.
When your repo is enabled, Securie gives you the thing to cite in paragraph 3. Request access at /scan so future buyer questions have an evidence-backed answer.