Security

Security is a practice, not a checklist. This page summarizes how we handle the fundamentals. For enterprise security questionnaires, email security@aistacknavigator.com.

Hosting

Application hosting: Vercel. Database and authentication: Supabase. Both providers offer their own SOC 2 / ISO 27001 attestations. Data is stored in the Asia-Pacific (Mumbai) region for development and Asia-Pacific (Tokyo) for production.

Authentication

Supabase Auth with email/password and OAuth (Google, Azure AD). Passwords are hashed; we never store them in plaintext. Session tokens are short-lived.

Data access

Row-level security (RLS) policies enforce per-user access at the database layer. User data is scoped to each account or organization. Administrative access is limited to named Outpace staff and logged.

Transport

All traffic is encrypted in transit (HTTPS/TLS). Database connections use TLS.

Retention

User data is retained while your account is active and deleted on request. Anonymous analytics are retained indefinitely in aggregate form.

Incident response

Material security incidents affecting user data will be communicated to affected users within 72 hours of confirmation, per Australian Notifiable Data Breaches scheme.

Responsible disclosure

Found a vulnerability? Email security@aistacknavigator.com with details. We acknowledge within 2 business days and coordinate a fix timeline. We do not have a paid bug bounty but will gratefully credit researchers who help us improve.