Security

1. Encryption

We protect data both while it moves and while it is stored:

• Data in transit is encrypted using industry-standard TLS (HTTPS) across the application and APIs.
• Data at rest is encrypted in our managed database and storage layers.
• Secrets and API keys are stored in protected server-side configuration and are never exposed to the browser.

2. Authentication & access control

Access to your account and data is controlled through authenticated sessions and least-privilege rules.

• Authentication is handled by Supabase Auth with secure, HTTP-only session tokens.
• Row-Level Security (RLS) enforces that organizations and users can only reach data they are authorized to access.
• Role-based permissions separate organization owners, members, and platform administrators.
• Privileged service operations run server-side only and are never shipped to the client.

3. Infrastructure

CopyUp.ai runs on established cloud providers that maintain their own audited security programs.

• Application hosting and global delivery via Vercel.
• Managed PostgreSQL database, authentication, and storage via Supabase.
• Network traffic is served over HTTPS with modern transport security.

4. Payment security

Payments are processed by Tranzila on its hosted, PCI-compliant payment page. Card details are entered directly with the payment provider — CopyUp.ai does not see or store full card numbers on its own servers.

5. Application security

• Server-side validation and authorization checks on sensitive operations.
• Strict separation between client and server code so privileged logic stays on the server.
• Dependency and configuration hygiene to reduce exposure to known vulnerabilities.
• Security-relevant defaults, including consent-gated, opt-in cookies for anything non-essential.

6. Monitoring, auditing & resilience

• Regular review of access controls, configurations, and dependencies.
• Managed database backups and recovery procedures provided by our infrastructure partners.
• Prompt investigation and remediation of identified security issues.

7. Your role in keeping your account secure

Security is a shared responsibility. You can help protect your account by:

• Using a strong, unique password and keeping it confidential.
• Signing out on shared devices and keeping your devices up to date.
• Being cautious with third-party integrations and the access you grant them.
• Contacting us immediately if you suspect unauthorized access.

8. Compliance & privacy

Our security practices support the commitments in our Privacy Policy, including data-subject rights and our handling of personal data. We design with applicable data-protection expectations in mind, including GDPR, the Israeli Privacy Protection Law, and US privacy frameworks such as the CCPA.