Security

What we store

• Customer-uploaded business context (POVs, pipeline data, Supercase inputs)
• Customer-uploaded documents processed through the research pipeline
• User identity and session metadata (email, profile, org membership)

Where it lives

Primary database:

Supabase (managed Postgres). All customer data at rest.

Application layer:

Vercel (serverless functions, logs). No customer data persisted outside request lifetime.

Third-party processors:

See our Subprocessors page for the full list and purpose of each.

Data residency

Primary infrastructure runs in US regions via Supabase and Vercel. Specific region commitments are available on request for enterprise agreements.

Sign-in:

Google OAuth via NextAuth. Email and password supported for non-SSO users.

Sessions:

HTTP-only, signed session cookies. JWTs expire after 1 hour.

Multi-tenancy isolation:

Every multi-tenant table is protected by Supabase Row Level Security (RLS) policies keyed to organization_id. Cross-tenant reads and writes are blocked at the database layer, not just the application layer.

Roles:

user, admin, and superadmin — all subject to RLS scoped to the user’s current organization.

Server-side data access:

Privileged access paths (auth callbacks, cron jobs, background jobs) use a service-role client with documented justification, gated by application-level authentication.

Supercase uses a small number of third-party subprocessors to deliver the product. The authoritative list — including purpose and the data exposed to each — is maintained at /legal/subprocessors and updated whenever a vendor is added, removed, or repurposed.

Supercase uses large language models to generate research, summaries, and business-case content.

• Customer-supplied context (uploaded documents, POV notes, pipeline data) is sent to our AI providers (Google Vertex AI, OpenAI embeddings, Exa search) as part of request processing.
• We use enterprise API tiers that contractually do not train on customer inputs.
• We do not sell or share customer data with third parties beyond the subprocessors required to deliver the service.

Input validation:

Zod schema validation on all API routes that accept user input.

Output hygiene:

API responses do not return stack traces or internal error details to clients.

Dependency management:

Dependencies are kept current; security advisories are monitored and patched on a rolling basis.

Code review:

All production changes flow through pull requests with review before merge.

• Vercel captures per-request application logs.
• Supabase provides database query logs and auth event logs.
• Product analytics (PostHog) captures product usage events, not sensitive payloads.

In the event of a confirmed security incident affecting customer data:

1. We will notify affected customers without undue delay.
2. We will provide a written summary of the incident, its impact, and remediation steps.
3. Enterprise customers with a signed DPA will receive notification within the timeframes specified in that agreement.

Report suspected incidents to hello@supercase.ai.

Supercase is an early-stage product and our security program is maturing alongside it. Controls currently on the roadmap include:

• Multi-factor authentication (MFA) enrollment
• Active session revocation
• Application-level rate limiting
• Centralized audit logging
• SOC 2 Type II attestation

Enterprise customers evaluating for regulated workloads should request our current security questionnaire for the most accurate status.

• Vulnerability reports: hello@supercase.ai
• Enterprise security questionnaires and DPAs: hello@supercase.ai