How we protect your business

Every workspace lives behind Postgres Row Level Security. A query that doesn’t carry the right session can’t see another tenant’s data, even if a misconfigured handler tries. We test these policies as part of CI — adding a table without RLS fails the build.

TLS 1.2+ on every connection. Data at rest is encrypted by the underlying Postgres cluster. Backups inherit the same encryption. Secrets never live in code or in client bundles.

Sessions are managed by Supabase Auth with HttpOnly, Secure, SameSite=Lax cookies. Password reset tokens are single-use and expire in one hour. Email verification is required before paid features unlock. We rate-limit login, signup, password reset, and invite acceptance.

We do not send your data to AI providers for training. Audio sent for transcription is deleted immediately after the transcript comes back. AI providers (Anthropic, Deepgram) process data only on our behalf, under their own enterprise privacy policies.

Production migrations are reviewed and reversible. Sensitive endpoints are rate-limited. We log requests with request IDs but never log passwords, tokens, full auth headers, or prompt bodies. Customer support cannot see your AI prompts.

If you believe you’ve found a security issue, please email security@procedurally.app with a description and reproduction steps. We acknowledge reports within two business days and don’t pursue researchers acting in good faith.