Trust, Security & Privacy

We describe controls that are actually enabled on the site today and how reader and source data is handled. We do not claim SOC 2, ISO 27001, HIPAA, PCI, or GDPR certification, and we do not present this page as audited or independently verified. Security is a shared responsibility between our hosting platform, our team, and the people who use the site.

The public site (newsroom, dashboard, reports, council coverage, RSS, sitemap) is readable without an account. There is no public sign-up.

Administrative tools at /admin are restricted to staff of The 901 Report. Admin sign-in requires an email and password on a team-only email domain, a bot/abuse check at the login form, and a time-based one-time passcode (TOTP) from an authenticator app as a second factor. Server-side authorization checks run on every admin action; UI-only checks are never the sole defense.

The site is built and hosted on Lovable, with the database, authentication, file storage, and serverless functions provided by Lovable Cloud (backed by Supabase). Data in transit is encrypted via HTTPS. Data at rest is encrypted by the underlying cloud provider as part of its standard managed-database service.

If you sign up for vote and meeting alerts, we store the email address you provide and a confirmation status so we know it is really yours. We use that email only to send the alerts you asked for. You can unsubscribe at any time using the link in any alert email.

If you send us a tip or message through the contact form, we store what you submitted so our editorial desk can read and respond. Any attachments you upload are kept in a private storage bucket that is not publicly listable.

We collect basic, aggregated pageview information (which page, when, referrer) to understand what coverage is reaching readers. We do not sell reader data and we do not use it for advertising.

Tips submitted through the contact form are visible only to the editorial team. The public site cannot read tip submissions. We protect sources to the fullest extent the law allows. For especially sensitive material, please do not use your work email or work device — reach out and we will arrange a more secure channel.

We use a small number of first-party cookies and similar storage to keep you signed in (admin only) and to remember theme preferences. Pageview analytics are first-party and do not require a third-party advertising tracker.

Alert subscribers are kept until you unsubscribe. Tip submissions and contact messages are kept as long as they remain editorially relevant. To request deletion of your email from our alert list or removal of a message you sent us, write to us via the contact page.

If you believe you have found a security vulnerability in the site (for example, a way to read non-public data, bypass admin authentication, or alter published content), please report it privately via the contact page with the subject line "Security". Please give us a reasonable window to investigate and remediate before any public disclosure.

For our editorial policy, sourcing standards, opinion and fair-comment notice, and the corrections and takedown process, see Legal & Disclaimers.