Security is core to what we do. Project data is sensitive — we treat it that way. Below is an overview of the measures we take to protect your data and platform access.
Data Encryption
All data is encrypted in transit using TLS 1.2 or higher
All data is encrypted at rest using AES-256
Passwords are hashed using bcrypt with per-user salts — we never store plaintext passwords
Database backups are encrypted
Authentication & Access Control
Multi-factor authentication (MFA) available on all plans
SSO/SAML integration available on Business and Enterprise plans
Sessions expire automatically after inactivity
Role-based access control (RBAC) within workspaces
All API requests require authenticated tokens
Row-level security enforced at the database layer
Infrastructure
Hosted on Vercel (edge network) and Supabase (database) — both SOC 2 Type II certified
Automated daily database backups with point-in-time recovery
Dependency scanning and vulnerability alerts via automated tooling
Production environment is isolated from development and staging
Security headers enforced on all responses (HSTS, CSP, X-Frame-Options, etc.)
Monitoring & Audit Logs
Real-time monitoring of API errors, latency, and anomalies
Audit logs capture all sensitive actions (login, data export, permission changes)
Audit logs are available to Business and Enterprise customers in-platform
AI queries are processed by Anthropic. Under our agreement, your data is not used to train AI models
Prompts and responses are logged for debugging and abuse prevention, not for model training
Enterprise customers can request single-tenant AI processing
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly. Do not publicly disclose vulnerabilities before we have had a chance to address them.
Please include: a description of the vulnerability, steps to reproduce, potential impact, and your contact details. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.