Security overview
Data encryption
- All data is encrypted in transit using TLS 1.2+
- Data at rest is encrypted using AES-256
- API keys are stored as salted hashes — plaintext keys are never stored after creation
Authentication
- Email/password authentication with bcrypt hashing
- OAuth2 (Google) single sign-on available
- Session tokens are short-lived with secure refresh rotation
- Platform admins require additional verification
Access control
- Row-level security (RLS) enforced at the database layer
- Organization isolation: users can only access data within their organization
- API keys are scoped to a single subscription
Compliance
We are working toward SOC 2 Type II certification. Our Security & Compliance page has the latest status.
For enterprise compliance requirements (GDPR DPA, custom DPA, penetration test reports), contact sales.
Reporting a vulnerability
Please report security vulnerabilities responsibly via contact security. Do not publicly disclose before we've had a chance to respond.