Base Case LogoBase Case

Security Overview

A public explanation of Base Case's current stack, account controls, and responsible disclosure process.

Base Case relies on managed infrastructure for authentication, app data, AI, hosting, and code execution. This page describes the practical controls that exist today without overstating them.

Effective date

March 6, 2026

Operator

Base Case, operated by Xavier Agostino

Contact

Current status

This page is a plain-language overview, not a certification, audit report, or promise of specific compliance outcomes.

Current security posture

Base Case uses managed services for authentication, application data, and hosting rather than running custom identity or database infrastructure. This reduces operational burden but does not remove the need for careful configuration and good user hygiene.

Practical account controls including active-session review, connected accounts, data export, and Casey-history clearing are available inside the product.

Current service architecture

Clerk

Sign-in, connected accounts, session management, and account portal flows.

Convex

Settings, progress, workspace state, communities data, Casey history, and related records.

Harvard Gemini gateway

Casey and autofill prompt processing through the Gemini API.

Judge0

Code submission execution and result delivery.

Vercel

Frontend hosting, Vercel Analytics, and Speed Insights.

Practical controls available today

  • Managed sign-in and connected-account flows through Clerk.
  • Active session review and session revocation from the account settings area.
  • Account-linked data export as JSON from Settings.
  • A targeted Clear Casey Data control that removes Casey conversations, messages, and Casey usage records.
  • Local theme preference storage in the browser instead of a more invasive tracking setup for that setting.

Shared responsibility

Users should choose strong authentication methods, protect account access, and avoid submitting secrets, production credentials, or confidential material to prompts or execution environments unless they are comfortable with that processing path.

AI outputs should be reviewed before they are trusted, and code execution results should be treated as tooling for practice rather than a substitute for independent testing or professional review.

Responsible disclosure

  • Email with a clear description of the issue, affected route or feature, reproduction steps, and any supporting screenshots or logs.
  • Do not publicly disclose the issue until Base Case has had a reasonable chance to investigate and respond.
  • Do not access, modify, exfiltrate, or destroy data that does not belong to you.
  • Do not use testing that degrades the service for other users, triggers denial-of-service conditions, or creates real user harm.

Current policy

Base Case does not currently advertise a formal bug bounty program, paid disclosure program, certification set, or uptime SLA.

Important limits

This page does not claim independent audits, formal certifications, specific encryption guarantees, or regulatory compliance frameworks that have not been separately published and supported. No internet-connected product can guarantee perfect security.

If Base Case's security posture materially changes, this page should be updated along with the effective date so the public description remains aligned with the actual product.

Last updated on

Terms of Use

The practical, founder-friendly rules that govern use of Base Case and its current public materials.

On this page

Current security postureCurrent service architecturePractical controls available todayShared responsibilityResponsible disclosureImportant limits