Security

Encryption

TLS 1.2+ in transit, AES-256 at rest via Supabase + Cloudflare R2. Field-level encryption for the small set of sensitive identity fields.

Row-Level Security

Every org-scoped table has a Postgres RLS policy. Cross-org reads return zero rows even if application code has a bug. Service-role usage is confined to worker processes and audited.

Audit logs

Every privileged action — role change, plan change, schema push, Wikipedia draft export, robots.txt export, classifier-version bump — is logged to an append-only audit table with 6-year retention.

SOC 2 Type II

Roadmap: complete via Drata or Vanta within 12 months of launch. Until then, the controls described on this page are documented and reviewed quarterly.

Bug bounty

Email security@aieo.ai. Responsible disclosure: 90-day window, public credit unless you ask otherwise.