Security
JWT-based authentication via Supabase Auth. Role-based access control with admin, manager, and member roles. All API routes enforce authentication with Bearer token verification.
All data encrypted in transit via TLS 1.3. Database encryption at rest via Supabase (AES-256). Sensitive credentials encrypted before storage.
Stripe handles all payment processing. We never store credit card numbers. Stripe is PCI DSS Level 1 certified — the highest level of certification.
Hosted on Vercel (SOC 2 Type II). Database on Supabase (SOC 2 Type II). Automatic DDoS protection, rate limiting on all endpoints, and security headers (HSTS, CSP, X-Frame-Options).
Supabase Row-Level Security (RLS) ensures each company can only access their own data. Multi-tenant isolation is enforced at the database level.
Comprehensive audit logging via agent_audit_log table. All data access is tracked. We are actively preparing for SOC 2 Type II certification.
We follow data minimization principles. Customer data is processed only for the services requested. GDPR-compliant data export and deletion available on Enterprise plans.