Security

Infrastructure

• Hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2, HIPAA, EU-West-1 region).
• All traffic over TLS 1.2+.
• Postgres at rest encryption (AES-256).
• Row-level security on every user-data table; default deny.

Authentication

• Magic-link email login via Supabase Auth. Tokens issued as JWTs; HTTP-only cookies.
• Service-to-service auth via API keys. Keys are hashed (sha256) before storage; raw values are shown ONCE at issuance.
• API keys are scoped (read / write / admin) and per-user rate-limited.
• Webhook payloads are HMAC-SHA256 signed with a per-endpoint secret. We support a 5-minute replay window.

Secrets

• All third-party credentials (Stripe, OpenAI, FMP, etc.) live as Vercel encrypted env vars and never appear in client-side bundles.
• The Supabase service-role key is server-only by lint rule and naming convention.
• We do not log secrets or PII into application logs.

Webhooks

• Outbound webhooks blocked from RFC1918 / link-local destinations (SSRF guard).
• HTTPS-only.
• Manual redirect handling — we don't follow redirects to other hosts.

Reporting a vulnerability

Email security@intelligence-beryl.vercel.app with details. We respond within 48 hours.

Subprocessors

See the Privacy policy for the full list of third-party processors that handle user data.