At outwrite.ai, security is embedded throughout our architecture and operations. We implement comprehensive protection measures across our Supabase-backed infrastructure, from data encryption to real-time threat monitoring.
Built on AWS with SOC 2 Type II compliance, automatic backups, and 99.9% uptime SLA. Our infrastructure includes dedicated connection pooling and global CDN distribution.
TLS 1.3 for all data in transit, AES-256 encryption at rest via Supabase, plus additional pgsodium encryption for sensitive credentials like WordPress passwords.
PostgreSQL with Row Level Security (RLS) enabled on all 15+ user data tables, ensuring complete data isolation between users.
Secure email/password authentication plus Google OAuth 2.0 integration. JWT tokens with automatic refresh and secure localStorage persistence.
Comprehensive RLS policies on all tables including profiles, generated_content, content_projects, wordpress_connections, and usage_events ensure users can only access their own data.
Bearer token validation on all edge functions, with role-based access controls and service-level authentication for sensitive operations.
WordPress credentials encrypted using pgsodium with project-specific keys and automatic key rotation. Fallback to base64 encoding ensures backward compatibility.
Intelligent rate limiting: 5 attempts per 15 minutes for critical operations like WordPress connections. Complete audit trail in usage_events table with real-time monitoring.
Comprehensive SecurityUtils implementation including XSS protection, HTML sanitization, file upload validation, and WordPress URL validation with suspicious pattern detection.
Multi-layer content validation for AI-generated content, checking for script injection, XSS patterns, and content length limits. No user content is used for AI model training.
Live security scoring based on encrypted connections, security events, and rate limit violations. Real-time monitoring of 6 active security features including TLS enforcement and auth state management.
Automated detection of rate limit violations, suspicious WordPress connection attempts, and unusual usage patterns with immediate alerting.
Comprehensive logging of all user actions, content generation events, WordPress operations, and security-related activities with tamper-proof timestamps.
Comprehensive security headers on all responses: Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection: 1; mode=block, Referrer-Policy: strict-origin-when-cross-origin.
Strict CORS policies on all edge functions, parameterized queries preventing SQL injection, and secure file upload handling with type and size validation.
All 12 edge functions protected with JWT validation, rate limiting, input sanitization, and comprehensive error handling with security event logging.
Full data portability through content export, user-initiated data deletion, granular consent management, and data processing transparency. EU users' data processed in compliance with GDPR Article 6.
Infrastructure compliance through Supabase's SOC 2 Type II certification, ensuring security, availability, processing integrity, confidentiality, and privacy controls.
Primary data processing in US-based data centers with GDPR-compliant international transfer mechanisms. Data backup and replication within approved regions.
Minimal data collection principle, purpose limitation for all processing, data minimization in storage, and automatic cleanup of temporary processing data.
Continuous monitoring through Supabase's infrastructure monitoring plus application-level security event tracking. Automated alerting for security incidents and performance anomalies.
Automated daily backups with point-in-time recovery capabilities. Database backup retention for 30 days with encrypted storage. Recovery procedures tested quarterly.
Comprehensive incident response procedures with defined escalation paths, user notification protocols, and regulatory reporting compliance. Security incidents trigger automatic user notifications within 72 hours.
TLS 1.3 with Perfect Forward Secrecy, AES-256-GCM for data at rest, pgsodium for application-level encryption with automatic key rotation every 90 days.
JWT tokens with 1-hour expiry and automatic refresh, secure httpOnly cookies for session management, and OAuth 2.0 with PKCE for Google authentication.
DOMPurify for HTML sanitization, content-type validation, file signature verification for uploads, and AI content safety scoring with automated moderation.
We welcome security researchers to report vulnerabilities through our responsible disclosure program. Contact our security team at support@outwrite.ai with PGP encryption available. We commit to responding within 48 hours and provide recognition for valid security reports.