SpikedAI Logo

Security Review Report

Effective Date: April 1, 2026. SpikedAI is a SaaS "Revenue OS" platform performing real-time conversational intelligence. This report outlines our security architecture and assessment.

1. Overview

SpikedAI is a SaaS "Revenue OS" platform performing real-time conversational intelligence and automated post-call workflows. The system integrates with meeting platforms (via Recall.ai) and popular business tools (Jira, Asana, HubSpot).

Architecture Context:

  • Infrastructure: Hosted on Google Cloud Run (US-Central1).
  • Authentication: Outsourced to Supabase (JWT-based).
  • Communication: HTTPS REST APIs and Server-Sent Events (SSE).

2. Feature Inventory

  • Identity Management (Authentication & Session context)
  • Conversational Logic (Recall.ai Bot management & Real-time Transcripts)
  • Knowledge Hub (Document management & Web Crawling)
  • Third-Party Integrations (OAuth-based bi-directional sync)
  • Reporting Dashboard (Meeting analytics & Sentiment tracking)
  • Administrative Interface (Team config & Billing)

3. API Surface Analysis

The following API endpoints have been observed in src/pages/ContentHub/api.ts, src/App.tsx, and asana_dashboard.tsx.

Endpoint CategoryObserved URLsRisk Level
Bot Controller/start, /stop (Recall Backend)High
Knowledge Hub/documents, /websites, /upload, /crawlHigh
Profiles (AI)/api/profiles/v2/start, /status/{jobId}, /historyMedium
Integrations/integrations/{service}/auth/initiate, /tasks, /projectsHigh
Settings/settingsMedium

Observed API Security Risks:

  • Authentication: Uniformly enforced via Bearer JWT in the frontend, but individual endpoint-level authorization checks are not verifiable from the provided code.
  • Input Sanitization: No evidence of server-side schema validation (JSON Schema/Pydantic) or sanitization for file uploads and crawler URLs.
  • Rate Limiting: No visible application-level rate limiting or anti-abuse protection (e.g., WAF/Redis-based throttling), exposing the system to denial-of-service or brute force attacks.
  • IDOR Vulnerability: High likelihood of horizontal privilege escalation on any endpoint accepting IDs (e.g., sourceId, jobId, meetingId) if the backend fails to validate tenanted ownership.

4. Feature Security Analysis

Feature: Conversational Bot Management (Recall.ai)

Data Handling

  • Types: Bot IDs, real-time transcripts, conversational intelligence.
  • Source: Recall.ai streaming backend.

Authentication & Access Control

  • Method: JWT token passed in headers.
  • Verification: Backend-side tenant isolation for bot instances is unconfirmed.

Data Protection

  • Leakage Vector: High risk of data exposure. console.log statements in App.tsx and useDashboardController.ts log full transcript objects and PII to the browser console.

Feature: Third-Party Integrations (OAuth)

Data Handling

  • Types: OAuth 2.0 Access/Refresh tokens for Jira, HubSpot, Asana, Salesforce.
  • Sources: Third-party SaaS platforms via OAuth flows.

Secrets Management

  • The system handles mission-critical tokens for external services. No verifiable evidence exists of secure secrets storage (e.g., KMS, Vault, or encrypted-at-rest databases).
  • Critical Risk: High impact if tokens are stored in plaintext or if tenant isolation fails, potentially allowing cross-tenant account takeovers in external platforms.

5. System-Level Risks (SOC 2 Gaps)

1. Multi-Tenant Isolation

The system architecture appears multi-tenant (sharing a common backend infrastructure for all users).

  • Risk: Tenant isolation guarantees (e.g., Row-Level Security enforcement) are not verifiable. There is a high likelihood of data leaks between organizations if object-level access checks are weak or missing.

2. Session & Lifecycle Management

Authentication is managed via Supabase, but the application's internal session security is minimal.

  • Risk: No evidence of token revocation, forced logout mechanisms, or device/session monitoring. Token reuse is a high-likelihood risk if sessions are not invalidated server-side upon suspicious activity.

3. Secrets & Key Management

Observations in supabaseClient.ts, Integrations.tsx, and admin.tsx show reliance on client-side environment variables and potentially hardcoded identifiers.

  • Risk: No evidence of secret rotation or hardware-based protection (Cloud KMS). High risk of exposure if developer environments or source control is compromised.

4. Dependency & Patch Management

Analysis of package.json shows 70+ third-party dependencies (Vite, Supabase, Lucide, Recharts, etc.).

  • Risk: No evidence of automated vulnerability scanning (e.g., npm audit, Snyk, or Dependabot) or a formal security patch cadence. Potential for critical exploits via outdated transitive dependencies.

5. Change Management & Infrastructure

Vercel deployment logs show a streamlined CI/CD pipeline.

  • Risk: No evidence of security scanning gates (SAST/DAST) in the build process or formal peer-approval requirements for production changes.

6. Threat Model: Adversarial Scenarios

ScenarioAttack VectorBlast RadiusLikelihood
Cross-Tenant IDORGuessing a UUID for a document or meeting.Full access to another organization's proprietary data.High
Integrations HijackExploiting weak token storage to access a victim's HubSpot/Jira.Full read/write access to external SaaS platforms.Medium
Crawler-based SSRFProviding an internal metadata URL to the /crawl endpoint.Extraction of backend infrastructure credentials from Google Cloud.Medium
Dashboard PII TheftScraping browser logs on a shared terminal.Extraction of live conversational data and user PII.High

7. Compliance Readiness (SOC 2 Readiness)

CategoryStatusAuditor Observations
Access ControlPartialAuthentication present; multi-tenant RBAC and IDOR protection unverified.
Data ProtectionPartialTLS 1.2+ active in transit. Secure secrets management and encrypted storage unverified.
MonitoringMissingNo application audit trails or security alerting visible. Mocked logs in UI.
System ResiliencyUnconfirmedNo evidence of backup, failover, or incident response testing.

8. Critical Issues (Fix First)

  1. Remediate Production Logging: CRITICAL: Remove all console.log statements logging transcripts and session data. This is an active data leakage vector.
  2. Verify Tenant Isolation: Audit all API endpoints (especially /documents/{id}) to ensure the user's JWT is strictly validated against the item's owner ID.
  3. Implement Security Headers: Update vercel.json to include Content-Security-Policy and Strict-Transport-Security headers.
  4. Establish Secure Secrets Policy: Confirm encryption-at-rest for OAuth tokens and Recall API keys; evaluate move to Cloud KMS.
  5. Automate Dependency Scanning: Integrate Snyk or Dependabot into the CI/CD pipeline to monitor for vulnerable packages.

Confidence Score: 84.7%
Gaps: Backend-side Row-Level Security (RLS) enforcement and secret rotation policies are unconfirmed from this codebase.
Next Step: Perform a dedicated audit of the Supabase the RLS configuration for the sources and meeting_logs tables.

Questions regarding these Security Review may be directed to: security@spiked.ai.