Encryption
Data is encrypted in transit with TLS 1.2+ and at rest with provider-managed AES-256 (Supabase Postgres, Google Cloud Storage). Backups inherit the same encryption envelope.
Security
Trust, by default.
Autousers is a pre-seed company — we’re building security posture deliberately and transparently from day one. The shape below is what we have today; SOC 2 work is in motion. Found something concerning? contact@autousers.ai — we triage every report.
Authentication
Supabase Auth handles user sessions with rotating refresh tokens, secure HttpOnly cookies, and OAuth/SSO providers. API access uses scoped bearer tokens (CLI, MCP) or short-lived JWTs (Figma plugin).
Authorization
Postgres Row-Level Security enforces team-scoped access on every read and write — even an authenticated user can never see another team's data without an explicit share grant.
Infrastructure
Hosted on Vercel + Supabase + Google Cloud, all SOC 2 Type II certified. Production secrets live in Vercel + GCP Secret Manager, never in source control. Workload Identity Federation replaces long-lived service-account keys.
Monitoring
Sentry for error tracking, Vercel Analytics + observability for runtime, Supabase audit logs for database access. We page on anomalies and review access logs regularly.
Compliance
GDPR-aligned data handling, with a Data Processing Addendum available on request. SOC 2 Type I in progress with a Q3 2026 target. HIPAA and FedRAMP not currently in scope.
Reporting a vulnerability
Email contact@autousers.ai with reproduction steps and any artifacts. We acknowledge within 48 hours, target an initial assessment within five business days, and coordinate disclosure once a fix is shipped. We don’t run a paid bug-bounty programme yet, but we’re happy to credit researchers in our changelog and on this page when a public CVE lands.