Security

Tenant isolation

Every organization's data is isolated at the database layer with Postgres row-level security (FORCE RLS), enforced on every query in addition to application-layer scoping.

Credentials

CMS and integration credentials are encrypted at the application layer (AES-256-GCM) and never returned to the browser. Sessions use HTTP-only cookies.

Infrastructure

Hosted on Railway with managed Postgres (Supabase) and Redis on a private network. All traffic is served over HTTPS.

Reporting a vulnerability

Found an issue? Please email security@brandcite.co. We appreciate responsible disclosure.