Security Controls
Our security controls organized by category
Cloud Infrastructure
All services hosted on EU-based infrastructure
Data Encryption at Rest
All data encrypted using AES-256
Data Encryption in Transit
All connections use TLS 1.3
Database Security
Supabase PostgreSQL with Row Level Security (RLS)
File Storage Security
Google Cloud Storage with signed URLs (7-day expiry)
DDoS Protection
Cloudflare/Vercel edge protection
Secure API Design
All API routes require authentication
Security Responsibility
Dedicated security oversight
Vendor Risk Management
All vendors reviewed for security compliance
Security Awareness
Regular security best practices review
Authentication
Supabase Auth with email verification
Session Management
Secure session handling with token refresh
Password Requirements
Minimum strength requirements enforced
OAuth Integration
Google and GitHub SSO options
Rate Limiting
API rate limiting to prevent abuse
Input Validation
Server-side validation on all inputs
CSRF Protection
Built-in Next.js CSRF protections
Code Review
All changes reviewed before deployment
Dependency Management
Regular dependency updates and audits
Error Monitoring
Sentry integration for error tracking
Logging
Application logging for security events
Incident Response
Defined process for security incidents
GDPR Compliance
Full GDPR compliance for EU users
Data Minimization
Only collect necessary data
Data Retention
User data deleted within 30 days of account deletion
User Data Export
Users can export their data
Account Deletion
Users can delete their account and data
Cookie Consent
Cookie consent banner with preferences
Privacy Policy
Comprehensive privacy policy published
Terms of Service
Clear terms of service published
SOC 2 Type II
Third-party security audit certification
ISO 27001
Information security management certification