Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest. Encrypted backups with KMS-managed keys, rotated quarterly.
Security
We treat your data like ours.
Practical, no-nonsense security posture. We default to the boring choices, document what we do, and patch fast.
Strong auth, by default
Bcrypt password hashing, JWT access + refresh tokens, optional OAuth providers, API keys constant-time-compared.
Least-privilege access
Role-based access control inside the app, scoped database roles in production, audit-logged admin actions.
Tenant isolation
Per-organization data partitioning. Cross-tenant queries are guarded at the repository layer, never trusted at the API.
We don't train on your data
Prompts, documents, and conversations are never used to train any model. Period.
Vulnerability response
Patches for CVEs in dependencies merged within 72 hours. Coordinated disclosure for issues reported by researchers.
What we do, plainly
- TLS 1.2+ on all traffic; HSTS preload
- AES-256 encryption at rest for database and object storage
- JWT short-lived access tokens (15 min) + httpOnly refresh tokens
- API keys hashed in database; never logged or echoed
- Per-org row-level scoping at the repository layer
- Stripe handles all card data — we never see PAN/CVV
- Daily automated backups, 30-day retention
- Incident postmortems published for any user-facing incident
Reporting a vulnerability
Found something? We want to know. Email security@example.com with steps to reproduce. We'll acknowledge within 48 hours and credit researchers who follow coordinated disclosure.
Contact us