Skip to main content
Back to Supabrief
Last updated: May 15, 2026

Security & Trust

Supabrief is built for product managers handling pre-launch intelligence: roadmap details, competitor analysis, internal Slack threads. We treat that data with the security posture appropriate to its sensitivity.

Data encryption

  • In transit: TLS 1.2 or higher for every connection between your browser, our application, and any third-party service.
  • At rest: AES-256 disk encryption on the Supabase Postgres database (managed AWS RDS / EBS).
  • Sensitive credentials at rest: An additional application-layer AES-256-GCM encryption for stored third-party tokens (GitHub PAT, Jira refresh tokens, Gong API tokens, BYOK Gemini/OpenAI keys). The encryption key is held in environment configuration, separate from the database.
  • Passwords: Hashed with bcrypt by Supabase Auth; we never store or see plaintext passwords.
  • IP addresses: Never stored in raw form. Hashed with SHA-256 and stored only for abuse-prevention with a 90-day retention window.

Access controls

  • Row-Level Security (RLS): Every multi-tenant table in our Postgres database has Row-Level Security policies that restrict each user's SELECT/INSERT/UPDATE/DELETE to rows owned by that user.
  • Least-privilege admin: Service-role database access is used only by trusted server-side endpoints; never exposed to the client.
  • Authentication: Email + password (with strong password rules) or Google OAuth via Supabase Auth.

AI processing

  • Your Input is sent to Google Gemini and/or OpenAI APIs over TLS 1.2+ to generate Output.
  • We have configured both providers to exclude API inputs from training their models per the API terms in effect.
  • You can opt out of using our keys entirely by adding your own AI keys (BYOK) in Settings on the product app.
  • We do not log or persist Input outside of the database row associated with your generation.

Retention & deletion

See the retention table in our Privacy Policy §6. Highlights:

  • Generated briefs: until you delete them, or 30 days after account deletion.
  • Connected-integration tokens: until you disconnect, or 30 days after account deletion.
  • Hashed IPs: 90 days, then deleted.
  • Server logs: 30 days.
  • Tax invoices: 8 years (Companies Act §128).

Incident response & breach notification

We will notify affected users and the relevant supervisory authority (Data Protection Board of India under DPDP §8(6); EU supervisory authorities under GDPR Art 33) of a personal data breach within 72 hours of becoming aware of it.

Subprocessors

See /legal/subprocessors for the current list of infrastructure, AI, payment, and operational subprocessors, including the country of processing and transfer mechanism (EU SCCs).

Vulnerability reporting

If you have discovered a security vulnerability in Supabrief, please report it to support@supabrief.com with the subject “Security Disclosure”. We commit to:

  • Acknowledging receipt within 2 business days;
  • Providing a triage assessment within 7 business days;
  • Resolving high-severity issues within 30 days;
  • Crediting reporters in our hall of fame (if desired) once a fix is shipped.

Please do not test vulnerabilities against accounts or data you do not own. We do not currently run a paid bug-bounty.

Roadmap

We are working toward:

  • SOC 2 Type 1 audit (target: within 12 months of crossing 100 paid customers);
  • Single sign-on (SSO) via SAML / OIDC for enterprise customers;
  • Audit-log export for enterprise customers.

Contact

Security questions, vendor-security questionnaires (CAIQ / SIG-Lite), or a copy of our latest review: support@supabrief.com.

Legal

TermsPrivacyCookiesRefundsSubprocessorsDPAAcceptable UseDMCASecurityGrievance OfficerImprintDo Not Sell or Share

(c) 2026 Supabrief. All rights reserved.