Security

• Hardware-key 2FA required on every team account.
• SSO + role-based access for internal tools; just-in-time elevation for production.
• Service-role database keys live only in encrypted environment variables, never in client code.
• Annual access reviews, quarterly key rotations, immediate deprovisioning on team change.

• All Supabase Postgres data encrypted at rest with AES-256.
• Row-level security enabled on every table — anon clients can only write, never read sensitive rows.
• Daily encrypted snapshots, 30-day retention, point-in-time recovery available on paid tiers.
• Optional client-controlled region pinning (EU, US, Middle East).

• TLS 1.3 on every endpoint, HSTS preloaded on production hostnames.
• HTTP→HTTPS upgrade enforced at edge; mixed-content blocked.
• Strict Content-Security-Policy on production; only first-party + named CDNs allowed.

• Dependency CVE scanning on every PR; high-severity vulnerabilities block merge.
• Static analysis and type checks (TypeScript strict) on every commit.
• Server actions validate inputs at the boundary; no SQL string concatenation, ever.
• Secrets scanned pre-commit; any accidentally-committed secret is rotated within 1 hour.

• Gemini receives only the domain string you submit — no form values, no customer records.
• No client-identifiable data is used to fine-tune any model.
• Optional self-hosted LLM path available for regulated industries (healthcare, finance).

We follow a documented response playbook with one-hour internal acknowledgement and a 72-hour notification window for any incident affecting client data. Active clients are notified through their dedicated success engineer; the public is informed via /status.

• GDPR-aligned data handling; signed DPA available on request.
• Working towards SOC 2 Type II — target Q3 2026.
• HIPAA-friendly architecture available for healthcare clients with a signed BAA.

Found something concerning? Email business@vaarcus.com with subject line [SECURITY]. We respond within 24 hours, will not pursue legal action against researchers acting in good faith, and credit you publicly once the issue is resolved (with your permission).