Security Practices
You're trusting us with your AI compliance data. That data describes your business operations, your AI tools, and your legal exposure. We take that seriously. Here's exactly how we protect it.
Encrypted everywhere
AES-256 at rest, TLS 1.3 in transit. Your data is never readable in storage or in transit.
Row-Level Security
Your data is isolated at the database level. No query can return another user's data.
Zero trust inputs
Every API input validated with Zod. SQL injection, XSS, CSRF — each mitigated at the framework level.
Data encryption
At rest
All data is stored in Supabase (PostgreSQL on AWS). Supabase uses AES-256 encryption for all data at rest. This means even if someone gained physical access to storage media, your data would be unreadable without the encryption keys, which are managed by AWS KMS.
In transit
All connections use TLS 1.2 minimum, TLS 1.3 preferred. Cloudflare Pages (our hosting) enforces HTTPS everywhere with HSTS (HTTP Strict Transport Security). Direct HTTP connections are automatically redirected to HTTPS. Certificate management is handled by Let's Encrypt via Cloudflare.
Passwords
Passwords are hashed using bcrypt with a strong cost factor by Supabase Auth. We never store, log, or see plaintext passwords. Password reset uses a time-limited one-time link sent to your verified email address.
Access controls
Row-Level Security (RLS)
Every table in our database has Row-Level Security enabled. This means the database itself enforces that you can only read and write your own organization's data. Even if an application bug bypassed application-level checks, the database would reject unauthorized queries. This is defense-in-depth.
Authentication
Authentication is handled by Supabase Auth using JWT tokens. Tokens are short-lived and automatically refreshed. Sessions expire after inactivity. We use httpOnly cookies to prevent XSS from accessing session tokens.
Admin access
Admin endpoints (jurisdiction update review) require a separate admin secret token stored only in server environment variables. Admin tokens are never logged, never exposed to clients, and can only be used server-side.
Application security
Input validation
Every API endpoint validates inputs using Zod schema validation before any database operation. Invalid inputs are rejected with descriptive errors before reaching any downstream code. This eliminates whole classes of injection attacks.
SQL injection prevention
We use the Supabase client library exclusively for database access. All queries use parameterized queries under the hood — no string concatenation, no raw SQL with user input. SQL injection is structurally prevented, not just validated against.
Cross-Site Scripting (XSS)
React (used by Next.js) escapes all output by default. We do not use dangerouslySetInnerHTML with user-supplied content. Content Security Policy headers restrict script sources.
CSRF protection
API routes that modify data use httpOnly cookies for auth (not URL parameters) and validate the Origin header. State-changing operations require authenticated sessions.
Rate limiting
API routes are rate-limited to prevent abuse and brute-force attacks. Authentication endpoints have stricter limits. Cloudflare's edge network provides additional DDoS mitigation.
Security headers
All pages are served with the following security headers:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://*.supabase.co https://api.lemonsqueezy.com X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=() Strict-Transport-Security: max-age=31536000; includeSubDomains
Infrastructure
Hosting: Cloudflare Pages
ComplianceIQ is hosted on Cloudflare Pages' global edge network. Cloudflare is SOC 2 Type 2 certified. Server-side code runs in isolated serverless functions. No persistent servers mean no servers to patch or misconfigure.
Database: Supabase
Database runs on Supabase (PostgreSQL on AWS). Supabase is SOC 2 Type 2 certified. Automated daily backups with 7-day retention. Point-in-time recovery available. Connection pooling via PgBouncer. Database is not publicly accessible — only accessible via Supabase client with valid JWT.
Secrets management
All API keys, database credentials, and secrets are stored as Cloudflare Pages environment variables. They are never hardcoded in source code, never logged, and never exposed to clients. We run automated secret scanning before every deployment to catch accidental exposure.
What we're honest about
We believe in transparency, including about our limitations:
- !We have not yet undergone a formal third-party security audit (planned after Series A). We use free tools: OWASP ZAP scans, Mozilla Observatory, automated secret scanning.
- !We are not SOC 2 certified yet. Planned for when revenue supports the $15-30K cost.
- !We are a small team. We take security seriously but are not a dedicated security company.
- !If you find a security vulnerability, please report it to security@trycomplianceiq.com. We will respond within 24 hours and credit you publicly if you want.
Report a vulnerability
If you discover a security vulnerability, please email security@trycomplianceiq.com with a description of the vulnerability and steps to reproduce. We will acknowledge your report within 24 hours, investigate promptly, and keep you informed of our progress. We will not take legal action against good-faith security research.
Please do not publicly disclose the vulnerability until we have had a reasonable time to address it (typically 90 days for complex issues, much less for critical ones).
Questions about our security practices?