Security

Security is foundational to SiteSupport.ai. Here's how we protect your data.

Infrastructure

Hosting — Deployed on Vercel's edge network with automatic DDoS protection and CDN.
Database — PostgreSQL on Neon with encryption at rest, automated backups, and point-in-time recovery.
Vector storage — Upstash Vector with TLS encryption and isolated namespaces per site.

Data Protection

Encryption in transit — All data transmitted over TLS 1.2+.
Encryption at rest — Database and vector storage are encrypted at rest using AES-256.
Password security — Passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords.
API keys — All secrets are stored in encrypted environment variables, never in code.

Application Security

Authentication — NextAuth.js v5 with secure session management and CSRF protection.
Rate limiting — Per-IP and per-visitor rate limits on all public endpoints to prevent abuse.
Input validation — All user inputs are validated and sanitized server-side.
CORS — Strict cross-origin policies on API endpoints.

AI Data Handling

We use OpenAI's API with data retention disabled.
Your content is never used to train AI models.
AI processing happens via API calls — no data is stored on OpenAI's servers beyond the request lifecycle.

Access Control

Production database access is restricted to essential services only.
All administrative actions are logged.
Team members use individual accounts with principle of least privilege.

Data Isolation

Each organization's data is logically isolated. Vector embeddings are stored in separate namespaces per site, ensuring no cross-contamination between customers.

Incident Response

In the event of a security incident, we will notify affected customers within 72 hours via email, including details of the incident, impact assessment, and remediation steps.

Responsible Disclosure

Found a vulnerability? Please report it to security@sitesupport.ai. We appreciate responsible disclosure and will acknowledge your report within 48 hours.