Trust & Security

How we protect your data and maintain transparency.

Security practices

🔒

Encryption in transit

All data is transmitted over TLS 1.3. We enforce HTTPS on all endpoints including the API, dashboard, and tenant sites.

💾

Encryption at rest

All database data is encrypted at rest via Supabase (AWS RDS AES-256). Uploaded files are stored in S3 with server-side encryption.

🛡️

Authentication

We use Supabase Auth with bcrypt password hashing, optional 2FA, and JWT tokens with short expiry. Sessions are invalidated on password change.

🔑

Secret management

Production secrets are stored in Vercel Environment Variables, never in source code. We run Gitleaks on every PR to prevent accidental commits.

🗄️

Database backups

Supabase Point-in-Time Recovery (PITR) is enabled. Daily backups are retained for 30 days. We test restores quarterly.

🧪

Penetration testing

We conduct annual external penetration tests. Critical findings are addressed within 48 hours. A summary of the most recent test is available on request.

☁️

Infrastructure

Hosted on Vercel (global edge) + Supabase (AWS us-east-1). 99.9% uptime SLA. DDoS protection via Cloudflare WAF.

🤖

AI use

AI features use Anthropic's Claude API. Conversations are not used to train models. See our full AI disclosure below.

Read our AI use policy

Sub-processors

We use the following third-party services to provide Seodapop. Each is bound by a Data Processing Agreement (DPA). Full sub-processors list →

ServicePurposeLocation
SupabaseDatabase + AuthAWS us-east-1 (USA)
VercelHosting + Edge CDNGlobal (USA HQ)
AnthropicAI generation (Claude)USA
StripePayment processingUSA
ResendTransactional emailUSA
SanityContent managementUSA
PostHogProduct analyticsUSA / EU
SentryError monitoringUSA
CloudflareDNS / WAF / DDoSUSA
Better StackUptime monitoringEU

Compliance & policies

Privacy PolicyTerms of ServiceCookie PolicyDPAAcceptable UseAI Use DisclosureRefund PolicyDMCASub-processors

Certifications

🏆

SOC 2 Type II (planned)

We are working toward SOC 2 Type II certification. Our security controls are designed to meet the Trust Services Criteria. Expected completion: Q1 2027.

Contact our security team

To report a vulnerability, request our DPA, or ask about our security practices:

security@seodapop.com