Security

    Last updated: June 2026

    We describe the technical and organizational measures we apply today to protect the Service and its data. We list only controls that are actually implemented; planned improvements are identified as such.

    Encryption

    All traffic travels over HTTPS/TLS, with security headers on the frontend (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). Encryption of data at rest is managed by our database and storage infrastructure (Supabase/PostgreSQL).

    Access control and tenant isolation

    Authentication uses Supabase Auth with JWT tokens and session refresh. Isolation between clients is enforced with Row Level Security (RLS) by user identifier on sensitive tables, reinforced with internal guards in privileged database functions. An automated isolation test verifies that one tenant cannot read or write another tenant's data.

    Application and edge function security

    Server (edge) functions validate their authorization via JWT, HMAC signatures on webhooks (Meta, Mercado Pago, Paddle) or a cron secret, as applicable. An automated audit verifies that each function exposes an explicit guard. Cross-origin access is restricted with an allowlist of permitted origins.

    Sensitive data protection

    We apply PII masking (maskPII) to phone numbers and emails in processing logs, and redact secrets (keys, tokens) before any logging. Error monitoring (Sentry) is configured not to send PII automatically.

    Anti-abuse and availability

    We apply rate limits, a circuit breaker and a central anti-abuse budget that safely throttles AI, file, embedding and sending consumption. An input guard blocks prompt injection and malicious payloads; repeated attempts to manipulate the assistant result in blocking.

    Continuous verification

    We maintain a battery of automated tests that run in continuous integration: tenant isolation, edge function authorization audit, anti-abuse budget control and adversarial tests against the AI models.

    Improvements in progress

    We do not claim certifications (e.g. SOC 2) at this time. Optional TOTP two-step verification is available for accounts and required for account deletion; managed backups with point-in-time recovery (PITR) and leaked-password protection are enabled upon moving to Supabase Pro, before onboarding clients with real production data.

    We use essential and analytics cookies to improve your experience. More information