Security

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Database connections use SSL. API keys are hashed with SHA-256 before storage.

Hosted on Vercel (SOC 2 Type II) with Supabase (SOC 2 Type II) for database. Automatic failover, daily backups, and point-in-time recovery.

Row-level security policies on all database tables. Role-based access (admin, analyst, viewer). Multi-tenant isolation via organization IDs.

Supabase Auth with secure JWT tokens. Password hashing with bcrypt. Support for password reset flows. API keys with configurable scopes and expiration.

API rate limiting per key and per plan. Webhook signature verification for Stripe. CORS policies restrict cross-origin access.

SOC 2 Type II certification planned. GDPR-compliant data handling. Right to erasure supported. Annual security audits on roadmap.