Skip to main content

Security

How we protect customer data, what we have in place today, and where we’re investing next.

We’re a new product with a small team and we’re building security-first. Our SOC 2 Type II audit is in progress — not yet issued. This page describes what we have in place today and what’s actively in flight, so you can make an accurate decision.

If you have specific security or compliance requirements before adopting kinapse.ai, email security@kinapse.ai and we’ll answer directly.

Encryption in transit

  • TLS on every request — Vercel edge terminates HTTPS and redirects HTTP to HTTPS.
  • HSTS header with a 1-year max-age set at the application layer.
  • Webhooks from Stripe are signature-verified before the body is processed.

Authentication

  • Primary sign-in is Google OAuth via NextAuth v5 — we never see your Google password.
  • Email + password signup uses bcrypt with a cost factor of 12.
  • Sessions are JWT with a 30-day expiry, rotated on every sign-in.
  • Admin routes are gated at the middleware level and then re-checked per API route.

Multi-tenant isolation

  • Every customer org has a unique organizationId. API routes that take a resource ID scope the query by org at the database layer, not just at the controller layer.
  • Role-based access control: SUPER_ADMIN, AGENCY_ADMIN, PROJECT_MANAGER, ANALYST, CLIENT_VIEWER.
  • Rate limiting on sign-in, AI endpoints, uploads, and the public API — backed by Upstash Redis in production, in-memory in development.

How we handle your data

  • Primary database is managed Postgres on Supabase, hosted in the US.
  • We do not resell, share, or use your campaign content to train third-party models.
  • Stripe handles all payment data — we never store card numbers or CVVs.
  • You can export or delete your organization’s data at any time by emailing support.

Infrastructure

  • Application runs on Vercel (SOC 2 Type II certified platform).
  • Postgres runs on Supabase (SOC 2 Type II certified platform).
  • AI calls go to OpenAI, Google, and Anthropic — all enterprise-grade providers with their own certifications.
  • Deploys are automated; secrets are not checked into source control.

In progress

Where we’re actively investing. If any of these are a hard requirement for you to adopt kinapse.ai, we’ll work with you directly — email security@kinapse.ai.

  • In progressSOC 2 Type II audit — engagement underway. We can share an interim letter + vendor-security questionnaire under NDA.
  • In progressNative MFA on login — TOTP + WebAuthn. Google OAuth users already get 2FA via Google today.
  • PlannedGDPR & CCPA posture reviews with external counsel before onboarding customers with those requirements.
  • PlannedEU data residency — customer-scoped region pinning.

Responsible disclosure

Think you’ve found a vulnerability? Email us before disclosing publicly. We’ll acknowledge within two business days and work with you on a fix.

security@kinapse.ai