Säkerhetspraxis

All data stored in Supabase Postgres is encrypted at rest using AES-256 encryption. This is managed by Supabase infrastructure and applies to all database tables, including customer data, audit logs, and configuration.

All communications between clients and AEO Pulse are encrypted using TLS 1.3 via Vercel's edge network. HSTS is enforced. No data is transmitted over unencrypted channels.

API keys are stored as bcrypt hashes (never plaintext). Keys are scoped with granular permissions (read/write per resource). Keys can be revoked instantly and have optional expiration dates. Key prefixes are visible for identification; full keys are shown only once at creation.

Postgres RLS policies ensure that users can only access data belonging to their organization/workspace. RLS is enforced at the database level, providing defense-in-depth even if application-layer controls fail.

Four workspace roles (owner, admin, editor, viewer) with granular permission matrix. Organization-level roles (owner, admin, billing, member) control org-wide settings. Permissions are checked on every API request.

All critical actions are logged to an immutable, append-only audit trail. Audit logs cannot be modified or deleted by users (enforced via RLS). Logs are exportable in CSV format for compliance reviews.

Supabase performs daily automated backups with 7-day retention on free plans and 30-day retention on paid plans. Point-in-time recovery is available. Backup integrity is verified quarterly.

Hosted on Vercel's global edge network with automatic DDoS protection. Server-side code runs in isolated serverless functions. No persistent servers to manage or patch.

Dependencies are scanned via npm audit on every CI run. Critical vulnerabilities are patched within 24 hours. Internal security audit completed March 2026 (score: 85/100). External penetration test planned Q4 2026.