Security

Infrastructure Security

Our platform is built on enterprise-grade infrastructure designed to protect your sensitive financial services data:

• Cloud Hosting: Hosted on Supabase and Vercel with SOC 2 Type II compliance
• Data Centers: Geographically distributed with redundancy and failover
• Network Security: Enterprise firewalls, DDoS protection, and intrusion detection
• Monitoring: 24/7 automated monitoring and alerting systems

Data Encryption

All data is encrypted both in transit and at rest:

• In Transit: TLS 1.3 encryption for all data transmission
• At Rest: AES-256 encryption for stored data
• Passwords: Bcrypt hashing with salt for user credentials
• Backups: Encrypted daily backups with point-in-time recovery

Access Controls

We implement strict access controls to ensure only authorized users can access your data:

• Authentication: Secure email/password authentication with session management
• Team Isolation: Row-level security ensures teams can only access their own data
• Role-Based Access: Granular permissions for admins, managers, and members
• Approval Workflow: New team members require admin approval before accessing data
• Audit Logs: Comprehensive logging of user activities and data changes

Application Security

Our application is built with security best practices:

• Secure Development: Code reviews and security testing in development lifecycle
• Input Validation: Server-side validation to prevent injection attacks
• CSRF Protection: Cross-site request forgery protection on all forms
• XSS Prevention: Content security policies and HTML encoding on all user inputs
• Dependency Scanning: Regular scanning for vulnerabilities in third-party packages
• Rate Limiting: Protection against brute force attacks on login and invite codes

Security Headers

We implement industry-standard security headers to protect against common web vulnerabilities:

AI & Data Privacy

For features that use AI (like contact import), we ensure your data remains private:

• No Training: Your data is never used to train AI models
• API-Only: AI features use secure API calls with enterprise privacy agreements
• Data Minimization: Only necessary data is sent for AI processing
• No Retention: AI providers do not retain your data after processing
• Anthropic Privacy: View Anthropic's privacy practices at privacy.anthropic.com

Input Sanitization & XSS Prevention

All user input fields are protected against cross-site scripting (XSS) and injection attacks:

• React Auto-Escaping: All text content is automatically escaped by React
• URL Validation: Links are sanitized to only allow http/https protocols
• Protocol Blocking: javascript:, data:, and vbscript: URLs are blocked
• HTML Escaping: Special characters in emails are escaped to prevent injection
• Length Limits: Text fields have maximum length limits to prevent abuse

Compliance

We maintain compliance with industry standards and regulations:

Incident Response

In the event of a security incident:

• Immediate containment and investigation procedures
• Notification to affected users within 72 hours
• Detailed incident reports and remediation plans
• Post-incident review and security improvements

Security Best Practices for Users

Help us keep your data secure by following these recommendations:

• Use a strong, unique password for your account
• Never share your login credentials with others
• Log out when using shared or public computers
• Report any suspicious activity immediately
• Keep your browser and devices updated

Request Security Documentation

Enterprise customers and security teams can request detailed documentation for their vendor assessment and due diligence reviews:

Report a Vulnerability

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us: