Architecture Audit and Compliance Gap Analysis

Last updated: 17 June 2026

This audit was prepared from the TalesNTokens repository and the stated platform assumptions: Supabase, Stripe, Resend, Fly.io, Cloudflare, Nuxt, TypeScript, WebSockets, user accounts, user-generated maps, user-generated tokens, user-generated character sheets, public and private game rooms, marketplace functionality, creator uploads, and purchasable digital content.

This audit supports the Privacy Policy, Terms of Service, Cookie Policy, Marketplace Terms, Security Policy, GDPR Data Rights Policy, and Trust and Safety Policy.

Regulatory Sources Checked

UK GDPR and privacy transparency: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
Lawful basis guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/
Right to be informed: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/
Cookies and PECR: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/
Personal data breach reporting: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
Children's code: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/
UK digital content consumer rights: https://www.legislation.gov.uk/ukpga/2015/15/part/1/chapter/3
UK online and distance selling: https://www.gov.uk/online-and-distance-selling-for-businesses
EU Consumer Rights Directive: https://commission.europa.eu/law/law-topic/consumer-protection-law/consumer-contract-law/consumer-rights-directive_en
EU Digital Services Act: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act
DSA user rights and appeals: https://digital-strategy.ec.europa.eu/en/factpages/user-rights-under-digital-services-act
U.S. DMCA service-provider resources: https://www.copyright.gov/512/
UK Online Safety Act guidance: https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/illegal-content-duties-under-the-online-safety-act
UK child safety duties: https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act
NCA CSEA reporting portal: https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/child-sexual-abuse-and-exploitation/the-child-sexual-exploitation-abuse-industry-reporting-portal

Architecture Audit

Data Collected

Account email, Supabase auth user ID, internal user ID.
Nicknames, room nicknames, theme preferences, custom theme colour.
Invite code usage and invited date.
Room names, memberships, roles, preferences, assigned player IDs.
User-generated maps, map packages, map layers, thumbnails, map settings.
Tokens, map assets, initiative state, dynamic lighting, game state.
Character sheet data, character information, equipment, spells, token settings, profile pictures.
Notes and custom compendium content, including HTML notes.
Repository uploads: maps, tokens, images, assets, MIME type, size, storage path.
Sandbox session token hash, display name, IP hash, user-agent hash, expiry, last seen.
Founder/supporter reservation email, Discord username, Stripe session ID, payment intent ID, amount, currency, payment status, tier.
Mailing list email and source.
WebSocket room, bridge, player, game-state, chat, dice, and sync events.
Browser localStorage/sessionStorage caches and preferences.
Google Analytics page view data where enabled.
Security and infrastructure logs, including IP and user-agent metadata.
Planned marketplace data: creator profiles, listings, licences, purchases, payouts, refund and chargeback records.

Data Stored

Supabase Auth stores authentication account data.
Supabase Postgres stores application data through Prisma models.
Supabase Storage stores uploaded repository assets and bridge snapshots.
Browser localStorage stores Supabase session, theme, invite flow state, room caches, chat cache, character cache, repository cache, map drafts, bridge sessions, tutorial flags, and gameboard versions.
Browser sessionStorage stores temporary fallback caches.
tnt_sandbox HttpOnly cookie stores sandbox session token.
Stripe stores payment and customer checkout data.
Resend stores transactional email delivery data.
Fly.io socket service handles transient WebSocket events and may hold logs.
Cloudflare may store edge logs and cache metadata.
Google Analytics stores analytics identifiers and page events where enabled.

Data Processed

Authentication and invite-code access.
Real-time gameplay and WebSocket synchronization.
Map, token, character sheet, notes, and compendium creation.
File uploads, signed URL generation, storage quota checks, and asset deletion.
Sandbox session creation, rate limiting, expiry, and cleanup.
Stripe checkout, webhook confirmation, reservation records, and email confirmation.
Mailing list signup.
Analytics page tracking.
Planned marketplace listing, purchase, licence, payout, refund, and chargeback workflows.
Planned reporting, moderation, safety, copyright, and appeals workflows.

Third-Party Services Used

Supabase for Auth, Postgres, Storage, logs, and backups.
Stripe for payments, checkout, disputes, refunds, and payment metadata.
Resend for transactional email.
Fly.io for socket server hosting.
Cloudflare for DNS, edge security, caching, and request logs where configured.
Google Analytics and Google Tag Manager for analytics where enabled.
Google Fonts for font delivery.
Discord invite links and community spaces.
Roll20 and Foundry integrations for bridge flows.
Vercel/deployment configuration appears in the repository and should be confirmed as either active or legacy.

User-Generated Content Flows

Authenticated users create rooms and memberships.
Users create maps and save map packages to Supabase Postgres.
Users create gameboards and game state, including map assets and tokens.
Users upload repository assets to Supabase Storage through API routes.
Users create and edit character sheets, notes, and custom compendium data.
WebSocket events sync game state, chat, dice rolls, initiative, player activity, and bridge state.
Sandbox users create temporary rooms and maps tied to expiring sandbox sessions.
Planned creators upload marketplace Assets, publish listings, and grant Buyer licences.
Planned buyers purchase Digital Content through Stripe and receive platform-delivered access.

Authentication Methods

Supabase magic-link passwordless authentication.
Supabase session persistence in localStorage.
Invite-code validation before access to account features.
Sandbox access through HttpOnly tnt_sandbox cookie.
No direct password storage found in the app.
No MFA, device/session management, account recovery controls, or account deletion control confirmed.

Payment Systems

Stripe Checkout creates one-time supporter access payments.
Stripe webhooks verify signatures and confirm paid sessions.
Founder reservation records store payment metadata.
Marketplace-specific Stripe Connect, payout, refund, tax, VAT, invoice, licence fulfilment, and chargeback workflows are not yet visible in the audited code.

Marketplace Functionality

Legal terms now define creator ownership, buyer licences, commercial/personal use, redistribution restrictions, revenue share, chargebacks, refunds, takedowns, copyright disputes, and asset licence categories.
The audited code does not show dedicated marketplace schema, listing models, creator onboarding, payout records, licence grant records, tax records, or in-app buyer/creator dispute workflows.

Analytics And Tracking

Google Analytics script can load in production when analytics is enabled.
No implemented cookie consent gate was found to block analytics before consent.
No consent record model was found.

Cookies And Local Storage

tnt_sandbox cookie is HttpOnly, SameSite=Lax, secure in production, and expires with sandbox TTL.
Supabase auth session is stored in localStorage using supabase.auth.token.
Theme, custom colour, invite flow, room caches, chat caches, map drafts, tutorial flags, bridge sessions, and gameboard versions use localStorage/sessionStorage.
No in-app storage clearing or consent preference centre was found.

Email Systems

Supabase sends authentication magic links.
Resend sends reservation confirmation emails.
Mailing list signup stores emails but no complete unsubscribe and marketing consent flow was confirmed.

Moderation Systems

Legal policies now define moderation, reporting, and appeals.
No dedicated moderation queue, report model, content labels, user blocking, mute controls, trust/safety dashboard, audit trail, or transparency tooling was found.

File Uploads

Repository assets can be uploaded as base64/buffer data and stored in Supabase Storage.
Regular room upload limit found: 2 MB per file.
Sandbox upload and payload limits exist separately.
MIME types include image formats, including SVG extension support in storage helper.
Malware scanning, image sanitisation, SVG sanitisation, content hashing, duplicate detection, and ownership verification were not found.
Some repository asset endpoints appear to lack explicit authentication and room membership authorization checks.

Asset Ownership Models

Legal policies now state that users retain ownership and grant TalesNTokens only a limited operational licence.
Code-level marketplace ownership, licence grant, and buyer entitlement models were not found.

User Reporting Systems

Legal policies now define reporting channels.
No in-app report forms, report API routes, report status tracking, appeal tracking, or non-registered illegal-content reporting channel was found.

Critical Findings

Several room content endpoints appear to lack explicit server-side authentication and membership authorization checks, including repository assets, notes, folders, gameboards, and custom compendium routes. This is a critical privacy and security issue.
Google Analytics may load in production without a consent gate, creating PECR/GDPR risk.
No account deletion, data export, consent preference centre, or data rights workflow is implemented in-app.
Marketplace legal terms are now drafted, but marketplace operational controls are not visible: listings, licence grants, creator verification, tax records, payouts, refund workflows, chargeback handling, and dispute evidence.
No in-app reporting, moderation queue, appeals workflow, or safety tooling is visible.
File upload controls are incomplete for a public UGC marketplace: malware scanning, SVG sanitisation, content hashing, and rights evidence are missing.
No child-safety risk assessment, Online Safety Act assessment, or CSEA reporting workflow is visible.
Audit logging is insufficient for public launch, especially for admin actions, moderation, marketplace, payments, security, and data rights.
Business identity, registered address, regulator registration status, VAT/tax details, and live legal inboxes must be confirmed before publication.
Public/private room privacy model is not fully explicit in the schema and should be implemented as clear access controls, not just unlisted IDs.

Gap Analysis

Missing Legal Requirements

Confirm legal entity name, trading name, registered address, company number, VAT/tax status, and official contact details.
Register or confirm ICO/data protection registration if required.
Register DMCA designated agent if relying on U.S. DMCA safe harbour.
Put DPAs and transfer safeguards in place with Supabase, Stripe, Resend, Fly.io, Cloudflare, Google, and deployment providers.
Publish cancellation and digital content acknowledgements at checkout.
Publish marketplace seller identity and trader status disclosures where required.
Publish child safety and Online Safety Act assessment summaries if required.

Missing Compliance Requirements

UK GDPR/EU GDPR records of processing.
Lawful basis assessment and legitimate interests assessments.
Data protection impact assessments for UGC, marketplace, analytics, child-accessible features, uploads, moderation, and WebSockets.
International transfer assessment and SCC/UK addendum records.
Cookie consent records.
Breach response runbook and 72-hour notification process.
Retention implementation tied to actual delete jobs.
Consumer refund and cancellation workflow.
DSA-style notice/action, statements of reasons, and internal appeal workflow if in scope for EU users.
UK Online Safety Act illegal-content and child-access assessments if in scope.

Missing Platform Functionality Required For Compliance

Account deletion endpoint and UI.
Data export endpoint and UI.
Consent banner and preference centre.
Consent storage and audit record.
In-app privacy settings.
In-app report button on rooms, assets, listings, profiles, and messages.
Report API and moderation queue.
Appeal API and appeal status tracking.
Marketplace listing schema and licence grant records.
Creator onboarding, verification, tax, payout, and sanctions workflow.
Buyer entitlement and download/access control.
Refund and chargeback operational workflow.
Admin dashboard with role-based access control.
Audit log service.
File scanning service.
Takedown and counter-notice workflow.
Child safety escalation workflow.

Missing User Controls

Delete account.
Export account data.
Clear local caches from app settings.
Manage cookie consent.
Manage analytics opt-in/opt-out.
Revoke sessions.
View active rooms and shared content.
Transfer or delete room ownership.
Remove marketplace listings.
View licences purchased.
Report content and track report status.
Appeal moderation decisions.
Block or mute users where user-to-user interaction exists.

Cookie banner with reject/accept/customise choices.
Prior blocking of Google Analytics until consent.
Consent records with timestamp, version, categories, and region.
Marketing email opt-in and unsubscribe flow.
Digital content immediate access acknowledgement at checkout.
Creator agreement acceptance record.
Marketplace licence acceptance record.

Missing Moderation Tools

Report queue.
Triage levels.
Content removal and restoration tools.
User warning/suspension tools.
Listing delisting tools.
Payout hold tools.
Evidence preservation.
Repeat infringer tracker.
Child safety escalation.
Malware quarantine.
Moderator notes and audit logs.
Statement-of-reasons templates.
Appeal review queue.

Missing Audit Logging

Login and session events.
Account deletion/export requests.
Data rights requests.
Room membership changes.
Upload/create/update/delete actions for assets.
Marketplace listing changes.
Purchases, refunds, chargebacks, payout holds.
Creator verification and tax changes.
Moderation actions.
Report submissions and outcomes.
Appeal submissions and outcomes.
Admin access to user data.
Security events and rate-limit triggers.
Consent changes.

Compliance Score

Current launch readiness score: 48 out of 100.

Rationale: the platform has a strong technical foundation, clear UGC models, Supabase Auth, Stripe webhook verification, sandbox expiry, storage quotas, signed URLs, and now a comprehensive policy set. However, public launch with accounts, user-generated content, file uploads, children-likely access, marketplace sales, and analytics requires operational controls that are not yet implemented or not yet evident in the codebase.

Public Launch Checklist

Publish all legal pages at /legal.
Replace all placeholder operator details with legal entity name, registered address, company number, VAT/tax details, and live contact inboxes.
Confirm and sign required DPAs with Supabase, Stripe, Resend, Fly.io, Cloudflare, Google, and deployment providers.
Complete records of processing activities.
Complete lawful basis and legitimate interests assessments.
Complete DPIAs for UGC, marketplace, analytics, uploads, child-accessible features, moderation, payments, and WebSockets.
Complete international transfer assessment and transfer safeguards.
Build cookie banner with accept, reject, and customise controls.
Block Google Analytics and marketing tags until valid consent where required.
Store consent records with policy version and category choices.
Add in-app privacy settings and consent management.
Add marketing unsubscribe and suppression records.
Add account deletion UI and API.
Add data export UI and API.
Add session revocation controls.
Add local cache clearing controls.
Add server-side auth and room membership authorization to every room, gameboard, note, folder, repository asset, custom compendium, and character endpoint.
Add object-level authorization tests.
Add admin RBAC and least-privilege controls.
Add audit logs for all sensitive actions.
Add report buttons for rooms, assets, marketplace listings, users, chat/messages if retained, and public pages.
Add report API, moderation queue, triage workflow, and evidence preservation.
Add appeal API and review workflow.
Add statement-of-reasons templates for moderation decisions.
Add child safety escalation and NCA CSEA reporting workflow if in scope.
Complete Online Safety Act illegal-content risk assessment if in scope.
Complete child access assessment and child safety risk assessment if in scope.
Add user block/mute controls where user-to-user interactions exist.
Add marketplace schema for listings, licences, purchases, buyer entitlements, creator payouts, refunds, and chargebacks.
Add creator onboarding, agreement acceptance, identity/tax, sanctions, and payout verification.
Add buyer licence acceptance and receipt records.
Add digital content immediate access and cancellation acknowledgement at checkout.
Add refund request workflow and 14-day refund timing controls where required.
Add chargeback response and payout reversal workflow.
Add marketplace takedown and counter-notice workflow.
Add repeat infringer tracking.
Add file upload malware scanning.
Restrict or sanitise SVG uploads.
Validate MIME type by file content, not only client-provided MIME.
Add content hashing for duplicate/stolen/malware detection.
Add upload quarantine for risky files.
Add creator proof-of-rights workflow.
Add marketplace review/rating anti-manipulation controls if reviews are enabled.
Add rate limits for auth, invite code, uploads, reports, checkout, WebSockets, and sandbox creation.
Add abuse monitoring for automation and scraping.
Add breach response runbook and test it.
Add backup restore testing and retention automation.
Add security vulnerability intake and acknowledgement workflow.
Add incident notification templates for users, processors, ICO, EU authorities, and payment providers.
Add privacy notice links at signup, checkout, marketplace publish, upload, and report flows.
Add age gate or age-appropriate design controls if children are likely to access the Platform.
Add default private settings and clear public/private room controls.
Add room ownership transfer or shared-content deletion rules.
Add access logs for signed asset URLs where feasible.
Add transparency report process if legally required.
Add automated tests for consent gating, authz, deletion, export, reporting, marketplace purchase, refund, and upload safety.