← Back to Home

Security

Enterprise-grade security for your brand intelligence data

Infrastructure Security

Pondral is hosted on Vercel's edge network with automatic SSL/TLS encryption for all data in transit. Our database is hosted on Supabase's managed PostgreSQL infrastructure with encrypted storage, automated backups, and geographic redundancy.

All API endpoints are protected by rate limiting, CSRF protection, and Content Security Policy (CSP) headers with cryptographic nonces.

Data Encryption

All data is encrypted in transit using TLS 1.3. Sensitive credentials including OAuth tokens from third-party integrations (GA4, Search Console, Slack) are encrypted at rest using AES-256-GCM authenticated encryption before database storage.

API keys are stored as SHA-256 hashes — we never store raw API keys, and they cannot be retrieved after creation.

Authentication & Access Control

We support multiple authentication methods: email/password, Google OAuth, and SAML SSO for enterprise customers. Multi-factor authentication is available through your SSO provider.

Role-based access control (RBAC) provides four permission levels — Owner, Admin, Editor, and Viewer — with 14 granular permissions controlling access to projects, analysis, billing, team management, and API configuration.

Database Isolation

All database tables are protected by Supabase Row-Level Security (RLS) policies. This ensures strict tenant isolation: users can only access data belonging to their own account or organization, even in the event of an application-level vulnerability.

Admin Security

Administrative access requires three-factor verification: email address whitelist validation, active Stripe customer verification, and service role key authentication. Admin routes are additionally protected by aggressive rate limiting (5 requests per 15-minute window).

Third-Party AI Engine Security

When we send analysis queries to AI engines (Claude, ChatGPT, Gemini, Perplexity), we transmit only the brand name, competitor name, and analysis question. We do not send your personal information, credentials, or proprietary data to AI providers.

All AI engine communication uses encrypted HTTPS connections with configurable timeouts and circuit breaker patterns to prevent cascading failures.

SOC 2 Readiness

We maintain audit logging for all significant system events and are working toward SOC 2 Type II compliance. Our compliance endpoint provides real-time audit trail access for enterprise customers.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@pondral.com. We take all reports seriously and will respond within 48 hours.