Security at Convexly
How we protect your decision data
Data Protection
- Encryption at rest via AES-256 (AWS infrastructure)
- Encryption in transit with TLS 1.3 on all connections
- Row-level security (RLS) enforced on every database table
- Strict data isolation per user and team — no shared access
- JWT authentication via Supabase Auth with automatic token refresh
Infrastructure
- Frontend hosted on Vercel with global CDN and DDoS protection
- API hosted on Railway with auto-scaling, isolated containers
- Database on Supabase (managed PostgreSQL on AWS)
- All services deployed in US regions
- Automated deployments with zero-downtime rollouts
Application Security
- Content Security Policy (CSP) headers on all responses
- HTTP Strict Transport Security (HSTS) with preload
- Rate limiting on all compute endpoints
- Input validation on every API endpoint
- Stripe webhook signature verification on payment events
- No plaintext credentials stored in the codebase
Access Controls
- Service role key restricted to cron jobs and webhooks only
- All API endpoints require authenticated JWT (except /health)
- Server-side plan enforcement on premium features
- CORS restricted to configured origins
Privacy & Compliance
- All decisions are private by default
- Public profiles are opt-in only
- Cookie consent with accept/decline options
- Privacy policy and terms of service published
- Data export available in CSV and JSON formats
- GDPR-ready infrastructure and data handling
Security Roadmap
- SOC 2 Type 1 certification (planned)
- SOC 2 Type 2 certification (planned)
- Third-party penetration testing (planned)
- Bug bounty program (planned)
Questions about our security practices?
We're happy to discuss our security posture in detail.
security@convexly.app