Legal · Security
Security.
How we protect your data at every layer — from encryption and infrastructure to the AI pipeline and the vocabulary your team uses. Plain English, not a checkbox tour.
Last reviewed July 13, 2026
01·Chapter
The six pillars.
Each pillar is a boundary a compromise would have to cross. Layered on purpose — one failing doesn’t expose your data.
Encryption
Connections use HTTPS/TLS. Stored data uses the encryption controls provided by our infrastructure providers; sensitive integration credentials receive additional server-side protection where supported.
Workspace isolation
Workspace access is enforced with Supabase row-level authorization policies and server-side membership checks. We test sensitive routes for authorization boundaries.
Access control
Authentication is handled by Supabase Auth. Third-party connections use OAuth scopes intended to request only the access needed for the selected integration.
Infrastructure
The service runs on Vercel and Supabase. Their compliance programs and platform protections support our controls; they do not make Brandlism independently SOC 2 certified.
API protection
Sensitive and high-volume routes use authorization, input validation, and rate controls. Private credentials are processed server-side rather than intentionally exposed to the browser.
Operational controls
We review dependencies, record application errors, use soft deletion where recovery is appropriate, and add prompt-injection boundaries around AI-assisted features.
02·Chapter
Compliance posture.
Our infrastructure providers maintain their own compliance programs. Brandlism does not currently claim an independent SOC 2 certification.
Provider controls
Vercel and Supabase publish their own security and compliance documentation. Their certifications apply to their services, not automatically to Brandlism.
Privacy requests
Users can request access, correction, export, or deletion of account data through support, subject to legal and operational retention requirements.
Data sale
Brandlism does not sell customer workspace data. The Privacy Policy describes data categories, purposes, and service providers.
03·Chapter
Responsible AI.
Brandlism does not use workspace data to train Brandlism models. AI output is labeled and external actions remain behind human approval.
AI outputs are clearly labeled
Every AI-generated analysis, suggestion, or draft is marked.
Brandlism training policy
Brandlism does not use workspace prompts, outputs, or brand data to train Brandlism models. Third-party provider handling is governed by their terms and our configured services.
Human approval before external action
Drafts and recommendations remain inside the workspace until an authorized user approves the relevant send, publish, or change action.
Coordinated disclosure
Found a vulnerability?
We take every report seriously. Email the security contact with reproduction steps and potential impact; we will acknowledge the report as soon as possible.
security@brandlism.com