Security FAQ

Where is my data stored?

Primary storage is in the EU (Frankfurt) via Supabase. Web traffic is served through Vercel's global edge with primary compute in the EU and US. Payment data is stored by Stripe in EU/US regions. See the sub-processors page for a full breakdown.

Is data encrypted?

Yes. All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 by our infrastructure providers. Secrets are stored in encrypted key-management services; application code never sees raw credentials.

Do you train AI models on my data?

No. We use commercial API agreements with Anthropic and OpenRouter that prohibit training on your prompt data. Generated policies, account data, and business inputs are not used to train anyone's models.

Do you sell or share my data?

No. We do not sell personal data. We do not share personal data with advertising networks or data brokers. Sharing is strictly limited to sub-processors required to run the service.

Who at PolicifyAI can access my data?

Production data is accessible only to a small number of engineers on a need-to-know basis, using individually-identifiable accounts, multi-factor authentication, and audit-logged access.

How is the database secured?

We use row-level security (RLS) policies so queries can only return rows belonging to the requesting user. Authenticated API routes enforce the same checks server-side.

How are you protected against compromised accounts?

We support OAuth (Google) and email-based authentication with short-lived sessions. We recommend customers enable MFA on their identity provider. Suspicious sign-in activity triggers re-authentication.

How is the application secured?

We follow defence-in-depth: strict Content-Security-Policy headers, SameSite cookies, parameterised database queries, dependency pinning, automated dependency vulnerability scanning, and input validation on every API boundary.

Do you run penetration tests?

We run continuous automated scanning against our production surface and periodic manual code review. Formal third-party penetration testing is on our security roadmap for enterprise customers.

How do you handle incidents?

We maintain an incident response process that includes containment, impact assessment, customer notification where appropriate, root-cause analysis, and remediation tracking. Material incidents affecting customer data are disclosed in line with GDPR / UK GDPR breach-notification obligations.

Are you SOC 2 / ISO 27001 certified?

Not yet. Formal certifications are on our security roadmap. Where certifications are required for procurement, contact us — we can share our control documentation and the sub-processor certifications we rely on (Supabase, Vercel, Stripe are all SOC 2 Type II certified).

Do you offer a Data Processing Agreement (DPA)?

Yes. Email [email protected] to request a DPA. Our DPA includes EU SCCs and the UK IDTA where applicable.

Where can I report a vulnerability?

Email [email protected] with technical details. We triage reports within 2 business days. We do not currently run a paid bug bounty but we are happy to publicly credit responsible disclosures.