Last updated: June 2026
We describe the technical and organizational measures we apply today to protect the Service and its data. We list only controls that are actually implemented; planned improvements are identified as such.
All traffic travels over HTTPS/TLS, with security headers on the frontend (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). Encryption of data at rest is managed by our database and storage infrastructure (Supabase/PostgreSQL).
Authentication uses Supabase Auth with JWT tokens and session refresh. Isolation between clients is enforced with Row Level Security (RLS) by user identifier on sensitive tables, reinforced with internal guards in privileged database functions. An automated isolation test verifies that one tenant cannot read or write another tenant's data.
Server (edge) functions validate their authorization via JWT, HMAC signatures on webhooks (Meta, Mercado Pago, Paddle) or a cron secret, as applicable. An automated audit verifies that each function exposes an explicit guard. Cross-origin access is restricted with an allowlist of permitted origins.
We apply PII masking (maskPII) to phone numbers and emails in processing logs, and redact secrets (keys, tokens) before any logging. Error monitoring (Sentry) is configured not to send PII automatically.
We apply rate limits, a circuit breaker and a central anti-abuse budget that safely throttles AI, file, embedding and sending consumption. An input guard blocks prompt injection and malicious payloads; repeated attempts to manipulate the assistant result in blocking.
We maintain a battery of automated tests that run in continuous integration: tenant isolation, edge function authorization audit, anti-abuse budget control and adversarial tests against the AI models.
We do not claim certifications (e.g. SOC 2) at this time. Optional TOTP two-step verification is available for accounts and required for account deletion; managed backups with point-in-time recovery (PITR) and leaked-password protection are enabled upon moving to Supabase Pro, before onboarding clients with real production data.
We use essential and analytics cookies to improve your experience. More information