Security & trust

Your business data deserves real protection, not a badge. Here's exactly what's in place today.

Password security

Passwords are hashed with bcrypt (industry-standard, cost factor 12) — never stored or logged in plain text.

Encrypted transport

All traffic runs over HTTPS/TLS end to end, on both the app (Vercel) and API (Railway).

Authenticated sessions

Access is controlled with signed JWT session tokens; every business's data is scoped strictly to its owner.

Rate limiting & abuse protection

Every API endpoint is rate-limited, with tighter limits on login/signup and public AI endpoints, to block brute-force and automated abuse.

Injection-safe data layer

All database access goes through a parameterized ORM (Prisma) — no raw, string-built SQL — closing off SQL-injection attack paths.

Secrets management

API keys and credentials are stored in encrypted platform secret managers, never committed to source code.

Calm, safe error handling

Customers only ever see friendly, actionable messages — raw internal errors and stack traces are never exposed to the client, only logged securely server-side.

On formal certification

Our security practices are built following ISO/IEC 27001 information-security principles. We have not yet pursued formal ISO 27001 certification or a SOC 2 audit — we believe in being precise about that distinction rather than implying a certification we don't hold. As the platform grows, formal certification is on our roadmap.

Questions about how your data is handled? Reach out any time — we're glad to walk through it.

BrandNova