Security

Infrastructure Security

• Edge network: Vercel Edge Network with automatic DDoS mitigation, Web Application Firewall (WAF), and bot detection. Traffic is served from the nearest edge node for performance and resilience.
• Compute isolation: Serverless functions execute in isolated containers with no shared state between tenants. Each function invocation runs in its own sandboxed environment.
• Database: Supabase PostgreSQL on AWS infrastructure. Dedicated connection pooling with PgBouncer. Row-level security (RLS) policies enforced at the database engine level -- not the application layer.
• Secrets management: All API keys, database credentials, and sensitive configuration are stored as encrypted environment variables in Vercel's secrets store. Never committed to source control.
• Network security: Database connections restricted by IP allowlisting. All inter-service communication encrypted via TLS. No public database endpoints.
• Uptime: 99.9% uptime target backed by Vercel's and Supabase's enterprise SLAs. Automated health checks with alerting.

Data Protection

• Encryption in transit: All connections use TLS 1.3 with HSTS (HTTP Strict Transport Security) enabled and preloaded. Certificate transparency logging is active.
• Encryption at rest: All stored data is encrypted using AES-256 via the underlying AWS infrastructure. Database backups are also encrypted.
• Password security: User passwords are hashed using bcrypt with a cost factor of 10. Plaintext passwords are never stored, logged, or accessible to staff.
• Backup and recovery: Automated daily database backups with point-in-time recovery (PITR) up to 7 days. Backups are encrypted and stored in a geographically separate region.
• Data isolation: Multi-tenant architecture with strict logical isolation. Each user's data is protected by PostgreSQL row-level security policies that are applied at the query engine level. No cross-tenant data leakage is possible via normal application paths.
• Data minimization: We collect only the data necessary to provide the Service. We do not retain data longer than required by our Privacy Policy.

Application Security

• Authentication: Supabase Auth with secure session management using HTTP-only cookies. PKCE (Proof Key for Code Exchange) flow for OAuth providers. Session rotation on privilege changes.
• Authorization: Role-based access control (RBAC) enforced at both application and database layers. Administrative functions require additional verification.
• Input validation: All user inputs are validated and sanitized on both client and server. Parameterized queries prevent SQL injection. Output encoding prevents XSS.
• Security headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are configured on all responses.
• CSRF protection: Token-based CSRF protection on all state-changing operations. SameSite cookie attributes enforced.
• Rate limiting: API rate limiting at both the edge (Vercel) and application layer to prevent abuse and brute-force attacks.
• Dependency management: Automated vulnerability scanning via GitHub Dependabot. Critical vulnerabilities are patched within 24 hours of disclosure.

AI and Data Processing Security

• API-only processing: AI analysis is performed via the OpenAI API, not self-hosted models. Data is transmitted over encrypted connections to OpenAI's endpoints.
• No model training: Your data is never used to train OpenAI's models. We use the API with zero-retention data processing where available.
• Prompt isolation: Each analysis runs in an isolated prompt context. No user's data is mixed with another user's data during AI processing.
• Output storage: AI-generated reports are stored in your account and protected by the same RLS policies as all other user data.
• Web crawling: When you submit a URL for auditing, we only access publicly available content. We respect robots.txt directives and do not access authenticated or private pages.

Compliance and Privacy

• SOC 2 practices: Schmade LLC follows SOC 2 Trust Services Criteria for security, availability, and confidentiality. Our infrastructure providers (Vercel, Supabase, AWS) hold SOC 2 Type II certifications with annual third-party audits.
• GDPR: Full compliance with EU General Data Protection Regulation. Data Processing Agreements (DPAs) available upon request. Standard Contractual Clauses (SCCs) in place for international transfers.
• CCPA/CPRA: Full compliance with California Consumer Privacy Act and California Privacy Rights Act. We do not sell personal information.
• Data subject rights: We support access, rectification, deletion, portability, and restriction requests as described in our Privacy Policy.
• Data retention: Clear retention policies with automatic deletion within 30 days of account closure. Backups purged within 90 days.
• Sub-processor management: All third-party service providers are vetted for security practices and bound by DPAs. A current list is available in our Privacy Policy.

Disclosure: While Schmade LLC follows SOC 2 security practices and uses exclusively SOC 2 Type II certified infrastructure providers, Schmade LLC itself is not independently SOC 2 certified at this time. We are committed to pursuing formal certification as the company scales.

Internal Access Controls

• Principle of least privilege: Team members are granted only the minimum access necessary for their role. Production database access is restricted to essential personnel.
• Multi-factor authentication: Required for all team members accessing production systems, source control, and infrastructure dashboards.
• Audit logging: All administrative actions, database access, and system changes are logged with timestamps and user identification.
• Code review: All code changes require peer review and automated CI/CD checks before deployment to production. Direct pushes to production branches are prohibited.
• Security training: Team members undergo security awareness training covering secure coding practices, phishing prevention, and incident response procedures.

Incident Response

In the event of a security incident, we follow a structured response plan:

1. Detection and containment: Automated monitoring detects anomalies. Affected systems are isolated immediately.
2. Assessment: The scope, severity, and impact of the incident are determined within 4 hours of detection.
3. Notification: Affected users are notified within 72 hours of confirmed incidents involving personal data, in compliance with GDPR and applicable laws.
4. Remediation: Root cause analysis is performed. Fixes are deployed and verified.
5. Post-mortem: A detailed post-mortem is conducted. Findings are documented and preventive measures are implemented to prevent recurrence.

Responsible Disclosure

We take security vulnerabilities seriously and welcome responsible disclosure from the security research community.

Enterprise and Compliance Inquiries

For enterprise security assessments, vendor questionnaires, or compliance documentation, we can provide:

• Security questionnaire responses (CAIQ, SIG, custom formats)
• Infrastructure provider SOC 2 Type II reports
• Data Processing Agreements (DPAs)
• Sub-processor lists
• Technical architecture documentation
• Penetration test summaries (when available)