FeedShield
Security-first architecture

Your data security is our foundation

FeedShield is built on enterprise-grade infrastructure with encryption, tenant isolation, and compliance baked into every layer.

Encrypted at rest

AES-256

Encrypted in transit

TLS 1.3

Database isolation

RLS on every table

SOC 2 infrastructure

Supabase + Vercel

How we protect your data

Six pillars of security cover every layer of the platform, from infrastructure to application logic.

Infrastructure security

Enterprise-grade hosting with multiple layers of protection.

  • Supabase (SOC 2 Type II certified) on AWS infrastructure
  • Vercel enterprise-grade edge network and serverless functions
  • AWS physical security: biometric access, 24/7 monitoring, ISO 27001
  • Automated infrastructure patching and updates
  • DDoS protection via Vercel edge network
  • Geographic distribution for redundancy

Data encryption

All data encrypted both at rest and in transit.

  • AES-256 encryption at rest for all stored data (Supabase/AWS)
  • TLS 1.3 encryption for all data in transit
  • OAuth tokens stored with additional encryption layer
  • Database backups encrypted at rest
  • HTTPS enforced on all endpoints with HSTS headers

Authentication and access

Secure, modern authentication with zero password storage.

  • Supabase Auth with Google OAuth 2.0
  • bcrypt password hashing for email/password accounts
  • Secure session management with short-lived JWTs
  • Automatic token refresh with encrypted refresh tokens
  • Account lockout after failed authentication attempts

Row-level security (RLS)

Every database table has RLS policies for tenant isolation.

  • PostgreSQL row-level security on all tables
  • Tenant isolation: organizations can only access their own data
  • Security-definer functions to prevent RLS bypass
  • No cross-tenant data leakage possible at the database level
  • Regular RLS policy audits and testing

API security

Hardened API endpoints with multiple protection layers.

  • Rate limiting on all public and authenticated endpoints
  • SSRF protection on crawl and URL input endpoints
  • Input validation and sanitization on all user input
  • CORS policies restricting cross-origin requests
  • Security headers: CSP, X-Frame-Options, X-Content-Type-Options
  • Request size limits to prevent payload abuse

Vulnerability management

Proactive scanning and rapid response to security issues.

  • Automated dependency scanning via npm audit
  • Regular code reviews with security focus
  • Security headers validated on every deployment
  • Third-party dependency pinning and lockfile enforcement
  • Rapid patching of critical vulnerabilities (< 24 hours)

Data residency

Your data is stored on Supabase hosted on AWS infrastructure. The primary database is located in US East (Virginia). Supabase offers regional project options for organizations with specific data residency requirements.

Database

Supabase / AWS US East

Application

Vercel global edge network

Payments

Stripe (US/EU processing)

Incident response plan

We maintain a documented incident response procedure with clear escalation paths.

1Detection: automated monitoring and alerting
2Triage: severity classification within 1 hour
3Containment: isolate affected systems immediately
4Notification: inform affected users within 72 hours (GDPR)
5Remediation: root cause analysis and permanent fix
6Review: post-incident report and process improvement

Trusted infrastructure

Supabase logoDatabase
Vercel logoHosting
Stripe logoPayments
Google logoAPIs
Let's Encrypt logoSSL

Compliance frameworks

We build to meet the requirements of major data protection regulations.

GDPR

General Data Protection Regulation

Data minimization, right to erasure, data portability, breach notification within 72 hours, legal basis for all processing.

CCPA/CPRA

California Consumer Privacy Act

Right to know, right to delete, right to opt out. We do not sell personal information.

UAE PDPL

Federal Decree-Law No. 45 of 2021

Compliance with the UAE Personal Data Protection Law. Registered in Dubai Silicon Oasis, UAE.

Google API User Data Policy

Limited Use Requirements

Minimal scopes, no advertising use, no human reading of user data, no sale of Google data.

PCI DSS

Payment Card Industry Standard

All payment processing handled by Stripe (PCI DSS Level 1). We never store card data.

Security contact

Found a vulnerability? Have a security concern? We take every report seriously and aim to respond within 24 hours.

[email protected]

Responsible disclosure

We welcome responsible vulnerability disclosure from security researchers. If you discover a security issue, please report it to us before disclosing publicly. We commit to acknowledging your report within 48 hours and providing a resolution timeline.

A formal bug bounty program is planned. In the meantime, we recognize and credit all valid reports.

Questions about our security practices? Read our Privacy Policy or Terms of Service for more details.