Security Foundations

Enterprise-grade security from day one

AdaptLoop runs on Vercel and Supabase with row-level security, encrypted storage, and least-privilege workflows. We are GDPR compliant today and executing our SOC 2 Type II audit plan ahead of GA.

Supabase infrastructure
Managed Postgres + storage
Encryption
TLS in transit · AES-256 at rest
Row-level security
Every table locked by default
Compliance posture
SOC 2 Type II prep · GDPR compliant

How we protect your data today

These are the guardrails currently live in production. We publish updates to this page as we ship new controls.

Managed auth & row-level security

Supabase Auth powers sign-in while Postgres RLS ensures every record stays tied to the right workspace.

  • Supabase Auth with email + SSO
  • Strict row-level policies on every table
  • Server actions double-check ownership
  • Service-role keys stored server-side only

Encryption by default

Traffic is encrypted via HTTPS and data at rest is protected by AES-256 through Supabase-managed storage.

  • TLS 1.2+ for all requests
  • AES-256 encrypted storage buckets
  • Nightly encrypted backups
  • Key rotation managed by Supabase

Data residency & retention

All production data lives on Supabase US-East. Retention policies ensure transcripts and exports can be purged on request.

  • US-based primary region
  • Configurable retention windows
  • Soft-delete with scheduled hard purge
  • Download & deletion endpoints

Access controls

Workspaces require invitation-only access, and non-production environments use scrubbed fixtures.

  • Workspace invitations
  • Role-based permissions (admin/editor/viewer)
  • Session checks on every server action
  • Audit trail stored in Supabase

Operational hygiene

We rely on Vercel for hosting, Supabase for data, and guard access with least-privilege workflows.

  • Least-privilege API keys
  • Staging & production isolation
  • Automated dependency updates
  • Weekly backup verification

Roadmap & audits

We’re preparing for formal audits as we scale. Join the beta and we’ll share progress transparently.

  • SOC 2 readiness underway
  • Third-party pen tests scheduled with partners
  • Vendor security reviews published to customers
  • Dedicated security contact channel

How we protect your data

1

Data collection

We only store the information you upload intentionally. Sensitive fields are redacted inside prompts by default.

2

Data storage

Transcripts, exports, and brand assets live in Supabase buckets with row-level permissions and AES-256 encryption.

3

Data access

Only approved workspace members can open your content. Admins can export, revoke, or delete data at any time.

Our privacy commitments

Your data is yours

We never sell your data. Your customer information stays private.

AI training opt-out

Your data never trains foundation models. We only feed prompts to the provider selected in your environment.

Transparent data handling

Clear privacy policy explaining what we collect and how we use it.

Easy data export

Export all your data at any time in standard formats.

Right to deletion

Request deletion anytime. Permanently removed within 30 days.

What we're working on next

Security is a journey. Here’s what’s coming up on our roadmap.

SOC 2 readiness

Control framework mapped, audit prep underway

SSO & SCIM

Enterprise identity integrations on the roadmap

Pen testing

Working with external partners for annual tests

Status page

Public uptime & incident reporting in development

Need a deeper security review?

We’re happy to discuss architecture, share policies, and walk through our roadmap.

Contact the team