Skip to main content
brandlism
PrivacyTerms

Legal · Security

Security.

How we protect your data at every layer — from encryption and infrastructure to the AI pipeline and the vocabulary your team uses. Plain English, not a checkbox tour.

01·Chapter

The six pillars.

Each pillar is a boundary a compromise would have to cross. Layered on purpose — one failing doesn’t expose your data.

01

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). API keys and OAuth tokens use additional application-layer encryption.

02

Row-level security

Every database query is scoped to your workspace via Supabase RLS policies. No cross-tenant data leakage is possible.

03

Access control

Authentication via Supabase Auth with HTTP-only cookies. OAuth 2.0 for third-party integrations with minimal scope requests.

04

Infrastructure

Hosted on Vercel (SOC 2) and Supabase (SOC 2, HIPAA eligible). Automatic scaling, DDoS protection, 99.9% uptime SLA.

05

API security

API keys are hashed before storage. Rate limiting on all endpoints. Input validation and sanitization to prevent injection.

06

Best practices

No secrets in client bundles. Soft-delete for data recovery. Regular dependency audits. Prompt injection mitigations for AI features.

02·Chapter

Compliance posture.

We inherit SOC 2 Type II via Vercel and Supabase and handle data with GDPR and CCPA in mind.

  • SOC 2 Type II

    Inherited via Vercel and Supabase infrastructure. Both providers maintain active SOC 2 Type II certification.

  • GDPR-ready

    Data minimization, right to erasure, data portability, and processing records.

  • CCPA

    California residents can request access, deletion, and opt-out of data sale (we never sell data).

03·Chapter

Responsible AI.

Your brand data never trains a model. Every AI output is labeled. Human review is assumed, not optional.

  • AI outputs are clearly labeled

    Every AI-generated analysis, suggestion, or draft is marked.

  • No training on customer data

    Your brand data, prompts, and outputs are never used to train models.

  • Human review assumed, not optional

    We encourage human review for all AI-generated content before publication or external use.

Coordinated disclosure

Found a vulnerability?

We take every report seriously. Email us directly — we respond within 24 hours.

security@brandlism.ai