Security & Trust
Last updated 2026-04-18. Written for buyers conducting a security review. Every claim below is either verifiable in our public repository or backed by a subprocessor contract we can produce on request.
Infrastructure
Hosting
Vercel (sfo1 + syd1), Supabase (US-West primary, Sydney read replica)
Encryption at rest
AES-256 (Supabase-managed disk encryption)
Encryption in transit
TLS 1.3 enforced end-to-end
Key management
NextAuth JWT signing, AWS KMS via Supabase; customer ad-platform tokens encrypted with a per-environment ENCRYPTION_KEY before write
Access control
Tenant isolation
Row-level security on every tenanted table, scoped via
brand_membershipsAdmin surface
Internal admin endpoints require the platform-staff allowlist (env-gated) OR brand-scoped membership; the legacy app-level admin role can NOT bypass brand scope (see commit history for W1.2)
Authentication
Google OAuth, Shopify OAuth, email/password (bcrypt), optional TOTP
API keys
Scoped per-brand; hashed (SHA-256) at rest; rotate via dashboard Settings > API
Data handling
PII retention
Customer emails/phones hashed (SHA-256) when possible; raw PII retained only when required for attribution join; GDPR delete honored within 30 days via Shopify
customers/redact webhookPixel events
Bot-filtered on ingest (quarantined, not dropped); de-duplicated per event_id; raw events retained 13 months
Backups
Supabase point-in-time recovery, 7-day window, documented runbook at
docs/runbooks/db-restore.mdSubprocessors
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase (AWS) | Primary database (Postgres) + auth | US-West + Sydney read replica |
| Vercel | Application hosting + edge network | sfo1 + syd1 |
| Upstash | Redis cache + rate limiting | Global (us-west-1 primary) |
| Modal | Attribution + MMM model training (GPU) | US |
| Stripe | Billing and payments | US / EU |
| Resend | Transactional email | US |
| OpenAI | LLM-backed explanations and natural-language queries | US |
| Sentry | Error monitoring | US |
| PostHog | Product analytics (first-party, anonymized) | EU |
Customers are notified 30 days before a new subprocessor is added.
Incident response
Detection
Sentry alerts on route-level errors within 60s; DLQ depth & token-expiry failures page on-call via PagerDuty (see docs/runbooks/incident-response.md).
Customer notification
Affected tenants notified within 72 hours of confirmed breach, per DPA
Post-mortem
Blameless, published internally within 5 business days
Service levels
Dashboard availability
99.5% monthly (external synthetic probe)
Pixel ingest
99.9% of valid events 2xx at p95 < 500ms
Shopify webhook lag
< 5 min p95, < 15 min p99
Ad-spend freshness
< 6h per connector
Compliance status
SOC 2
Type I in progress (target 2026 Q3)
GDPR
Article 28 DPA with SCCs available on request
CCPA
In scope via DPA
Contact
Report vulnerabilities to security@attribution.ai. We acknowledge reports within two business days; ask for our bug-bounty policy in your first message and we will share it.