Skip to content
Legal

Security Overview

v1.0 · Effective 2026-07-06

1. Overview

This page describes the security measures that protect your data in Brainpercent, operated by Brainpercent, LLC (Delaware, USA). We describe only what is actually in place today. We do not claim certifications we do not hold. For how we process personal data, see our Privacy Policy and Data Processing Addendum (DPA).

2. Encryption

Your data is encrypted at every stage:

  • At rest: AES-256 encryption for the database and file storage (Supabase Postgres and Storage, hosted in the EU, Frankfurt region).
  • Connected-account tokens: OAuth tokens for your connected social accounts are additionally encrypted at the application level with AES-256-GCM, using a unique initialization vector and authentication tag per secret.
  • In transit: TLS 1.2 or higher for all connections between your browser, our servers, and our service providers.

3. Access Control

Access to your data is restricted at multiple layers:

  • Row-level security: Postgres row-level security (RLS) scopes every query to your own user at the database level, so one user cannot read another user's rows.
  • Role separation: database clients are role-separated. The client that runs in your browser never holds administrative credentials; privileged operations run only server-side.
  • Encrypted secrets: API keys and environment secrets are stored encrypted in Vercel and Supabase and are never committed to source control.

4. Application Security

The application and its integrations are hardened:

  • Security headers: HSTS and additional security headers are set on responses to enforce HTTPS and reduce common web attack surface.
  • Webhook signature validation: incoming webhooks (Stripe, Inngest) are verified against their cryptographic signatures before any processing.
  • Rate limiting: distributed rate limiting on authentication endpoints slows down credential stuffing and brute-force attempts.

5. Payment Security

Payment card data is handled entirely by Stripe, a PCI-DSS certified payment processor. Card numbers never touch our servers and we never store them. We only store the non-sensitive references Stripe provides (such as customer and subscription IDs).

6. Monitoring and Incident Response

We watch for problems and commit to notifying you when they matter:

  • Error monitoring: application errors are captured and monitored via Sentry.
  • Breach notification: if a data breach affects your personal data, we will notify affected users and the relevant authorities within 72 hours where required by law (such as GDPR Article 33).

7. Current Limitations

We prefer honesty over security theater. Here is what we do not have yet:

  • Single-operator company: Brainpercent is currently built and operated by one person. There is no 24/7 security team and no multi-person separation of duties. Production access is limited to that one person, which also keeps the internal attack surface minimal.
  • SOC 2 / ISO 27001: not yet available. We do not claim SOC 2, ISO 27001, or any other certification we do not hold, and we have not completed a third-party penetration test.

8. Responsible Disclosure

If you believe you have found a security vulnerability, email edward@brainpercent.com with subject "Security".

Include steps to reproduce. Please do not access other users' data, degrade the Service, or publicly disclose the issue before we have had a reasonable chance to fix it. We read every report and aim to respond within 72 hours.