Trust & Security
How we protect your data and maintain transparency.
Security practices
Encryption in transit
All data is transmitted over TLS 1.3. We enforce HTTPS on all endpoints including the API, dashboard, and tenant sites.
Encryption at rest
All database data is encrypted at rest via Supabase (AWS RDS AES-256). Uploaded files are stored in S3 with server-side encryption.
Authentication
We use Supabase Auth with bcrypt password hashing, optional 2FA, and JWT tokens with short expiry. Sessions are invalidated on password change.
Secret management
Production secrets are stored in Vercel Environment Variables, never in source code. We run Gitleaks on every PR to prevent accidental commits.
Database backups
Supabase Point-in-Time Recovery (PITR) is enabled. Daily backups are retained for 30 days. We test restores quarterly.
Penetration testing
We conduct annual external penetration tests. Critical findings are addressed within 48 hours. A summary of the most recent test is available on request.
Infrastructure
Hosted on Vercel (global edge) + Supabase (AWS us-east-1). 99.9% uptime SLA. DDoS protection via Cloudflare WAF.
AI use
AI features use Anthropic's Claude API. Conversations are not used to train models. See our full AI disclosure below.
Read our AI use policySub-processors
We use the following third-party services to provide Seodapop. Each is bound by a Data Processing Agreement (DPA). Full sub-processors list →
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database + Auth | AWS us-east-1 (USA) |
| Vercel | Hosting + Edge CDN | Global (USA HQ) |
| Anthropic | AI generation (Claude) | USA |
| Stripe | Payment processing | USA |
| Resend | Transactional email | USA |
| Sanity | Content management | USA |
| PostHog | Product analytics | USA / EU |
| Sentry | Error monitoring | USA |
| Cloudflare | DNS / WAF / DDoS | USA |
| Better Stack | Uptime monitoring | EU |
Compliance & policies
Certifications
SOC 2 Type II (planned)
We are working toward SOC 2 Type II certification. Our security controls are designed to meet the Trust Services Criteria. Expected completion: Q1 2027.
Contact our security team
To report a vulnerability, request our DPA, or ask about our security practices:
security@seodapop.com