Security

Data handling

We collect only the data necessary to operate the service: the URLs you crawl, the chat transcripts your users generate, and the account and billing information you provide. Crawled content is indexed and stored in isolated, per-tenant data stores. We do not sell or rent your data to third parties.

Tenant data is logically separated at the database level. Direct cross-tenant queries are not possible through our API — every query is scoped to the authenticated workspace.

Encryption

All data in transit is encrypted with TLS 1.3. Connections that attempt older protocol versions are rejected. Data at rest is encrypted using AES-256 managed by our cloud provider (Supabase / AWS). Backups are encrypted with the same key hierarchy.

Authentication

User authentication is handled by Supabase Auth, which implements industry-standard OAuth 2.0 flows and email/password sign-in with bcrypt password hashing. Session tokens are short-lived JWTs rotated on each request. We do not store raw passwords at any layer of the stack.

API keys issued to embed deployments are hashed (SHA-256) before storage. The plaintext key is shown once at creation and cannot be retrieved afterwards.

Incident response

If we discover a security incident affecting customer data, we will notify affected customers within 24 hours of confirming the breach. Notifications will be sent to the primary account email address and will include: the nature of the incident, the data categories potentially affected, the steps we have taken to contain it, and the steps customers should take.

Contact [email protected] to reach our security team directly.

Responsible disclosure

We operate a responsible disclosure program. If you discover a vulnerability, please email [email protected] with a detailed description and reproduction steps. We ask that you give us 90 days to remediate before public disclosure.

PGP key coming soon — contact us for secure disclosure in the meantime and we will coordinate an out-of-band channel.