Spades LogoSpades

Security Policy

Last updated: April 26, 2025

1. Introduction

Spades ("we", "us", or "our") is committed to maintaining the confidentiality, integrity, and availability of our web application and the data entrusted to us by our users. This Security Policy describes our approach to protecting user data and responding to potential security issues in a responsible, transparent manner.

2. Scope

This policy applies to the Spades public web application (https://spades.poker) and all associated systems, networks, and services under our control.

3. Data Handling

OAuth Tokens

  • We act as an OAuth client for Linear on behalf of our users. All tokens are stored encrypted at rest and transmitted over TLS 1.2+ connections.
  • Tokens are used solely to fetch and write estimation data within Linear and are never shared or sold.

Data Minimization

  • We collect only the minimum data necessary to provide core functionality.
  • No payment information or other sensitive PII is stored by Spades.

4. Vulnerability Disclosure & Acceptable Reporting

We encourage security researchers to help us identify and fix vulnerabilities. To report a potential issue:

  1. Email: security@spades.poker
  2. What to Include:
    • A clear description of the issue.
    • Steps to reproduce (screenshots or proof-of-concept code are welcome).
    • Any relevant URLs, headers, or request/response data.
  3. Acknowledgement Timeline:
    • We will confirm receipt of your report within 48 hours.
  4. Remediation Timeline:
    • We aim to address and deploy a fix within 14 days of acknowledgement.
  5. Safe-Harbor:
    • Provided you act in good faith and abide by all applicable laws, Spades will not initiate legal action against you for any research performed in accordance with this policy.

5. Incident Response

  • Our internal incident-response team manages all investigations, mitigation, and communication for security incidents.
  • While the details of our process are confidential, we will notify affected users and, if required by law, relevant authorities in the event of a data breach.

6. Security Best Practices

Spades follows industry-recognized guidelines (e.g. OWASP Top Ten) to safeguard our application. Key controls include:

  • Enforced TLS for all data in transit
  • Encryption of sensitive data at rest
  • Regular dependency and vulnerability scans
  • Role-based access controls for internal systems
  • Periodic third-party penetration testing

Note: If you require more detail on these controls, please let us know.

7. Policy Review & Updates

This Security Policy is reviewed and updated on an as-needed basis. Any material changes will be reflected here and, when appropriate, communicated to our users.

By using Spades, you acknowledge that you have read and understood this Security Policy.