Last updated . How we keep your data secure — TLS 1.3 encryption, AES-256 at rest, Stripe-secured payments, Supabase row-level security, and a clear incident-response process.
BrandCited is a SaaS product hosted on Vercel with Supabase as the primary datastore and Stripe for payment processing. All customer data is encrypted in transit and at rest. This page documents the security controls we operate today and the controls we are actively pursuing.
All traffic to www.brandcited.ai and our API uses TLS 1.3. HSTS is enforced. Data at rest in Supabase is encrypted with AES-256. Row-level security (RLS) policies separate tenants — no user can read or modify another user data, scans, brands, or reports.
Account sign-in uses Supabase Auth with email/password plus Google OAuth. Sessions are issued as short-lived JWT tokens with refresh-token rotation. Super-admin accounts are gated on explicit email allow-listing, not on a mutable database flag. Multi-factor authentication is on our roadmap for Q3 2026.
Payments are handled by Stripe. Card data never touches BrandCited servers. We receive a Stripe customer ID and subscription status via webhook. Webhooks are signed and verified on every request.
Hosting runs on Vercel Fluid Compute with Node.js 24 LTS. Database is Supabase Postgres with automatic daily backups retained for 30 days. Secrets are stored in Vercel environment variables, not in source code. A GitHub Actions TruffleHog scan runs on every push to catch accidentally committed secrets before they can propagate.
BrandCited is GDPR-compliant and CCPA-compliant. Our SOC 2 Type II audit is in progress with an expected completion in 2026. We are registered under the CAN-SPAM Act for marketing email. We honour data-deletion and data-export requests within five business days. Request via hello@brandcited.ai.
Sentry-monitored error tracking runs across the marketing site, the dashboard, and every API route. Vercel observability covers request latency and error rates. Our incident-response process is: confirm the incident, contain the blast radius, notify affected users within 72 hours, document the root cause publicly in the changelog, and ship a preventative fix.
If you discover a vulnerability in BrandCited, please report it privately to security@brandcited.ai before disclosing publicly. We will acknowledge within two business days, investigate, and publish a fix with credit to the reporter if requested.
We use Vercel (hosting), Supabase (database + auth), Stripe (payments), Resend (transactional email), Sentry (error monitoring), OpenRouter (LLM inference), PostHog (product analytics), and Cloudflare (DNS + DDoS). A current list is available on request at hello@brandcited.ai.
Security questions: security@brandcited.ai. General inquiries: hello@brandcited.ai.
