Infrastructure

Security Policy

Last updated: June 19, 2026 · Vrexis Technologies

Security is built into every layer of BriefOps — not added as an afterthought. This page describes the technical and organizational measures we take to protect your data and your clients' data.

Server-Side AI Execution

All AI generation calls are made server-side. Your Anthropic API key is never exposed to the browser or included in client-side code.

Row-Level Security

Supabase Row Level Security policies ensure strict data isolation at the database layer. You can only read and write your own data — no cross-account access is possible under any circumstances.

Zero Model Training

Client intake responses are processed via Anthropic's enterprise API and are never used to train AI models. Your clients' data stays yours.

Input Sanitization

All form submissions are validated server-side and stripped of HTML and script content before processing. Input length is strictly enforced on every field.

Encrypted at Rest

All data stored in Supabase is encrypted at rest using AES-256. Supabase is SOC 2 Type II certified.

TLS in Transit

All connections to briefops.app use TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.

Rate Limiting

API endpoints are protected against abuse through per-user rate limiting via Upstash Redis. Automated abuse attempts are blocked before they reach the AI layer.

Webhook Verification

All Stripe payment webhooks are cryptographically verified using HMAC signatures before any subscription changes are processed.

Authentication Security

User authentication is handled by Supabase Auth, which supports secure email and password authentication with bcrypt hashing, OAuth 2.0 via Google and Microsoft, email verification for new accounts, and secure session management with httpOnly JWT cookies. Passwords are never stored in plaintext. Session tokens are refreshed automatically on every request via middleware.

Infrastructure

Hosting

BriefOps is hosted on Vercel, which provides automatic HTTPS, DDoS protection, and global edge deployment. All server-side API routes run in isolated serverless functions with no persistent state between requests.

Database

User data is stored in Supabase on PostgreSQL. Supabase is SOC 2 Type II certified, encrypts all data at rest using AES-256, and provides automated backups. Database access is restricted to authenticated requests with valid JWT tokens. Row Level Security is enabled on every table.

AI Processing

Brief generation is performed via Anthropic's Claude API under enterprise terms. All API calls are made server-side only. No client data is logged beyond what is necessary to deliver the service. Anthropic does not use API-submitted data to train their models.

Email

Transactional emails are sent via Resend using a sending-only API key scoped to briefops.app. The API key has no permissions beyond sending email and cannot read or manage email data.

Rate Limiting

Per-user rate limiting on the brief generation endpoint is enforced via Upstash Redis. This protects against both accidental overuse and deliberate abuse of the AI generation pipeline.

Data Isolation

Every database table in BriefOps has Row Level Security enabled. This means database queries are automatically filtered so that each user can only access their own data. Even if a query is constructed incorrectly at the application layer, the database enforces isolation at the storage layer. Agency team members can only access their own briefs — not those of other members on the same team.

Content Security Policy

BriefOps enforces a Content Security Policy on all pages. External resources are restricted to a whitelist of trusted domains. This protects against cross-site scripting, clickjacking, and other injection attacks. Additional security headers including X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are set on all responses.

Vulnerability Disclosure

If you discover a security vulnerability in BriefOps, please report it responsibly to security@briefops.app. We take all security reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and address them.

Security Updates

We monitor our dependencies for known vulnerabilities and apply security patches promptly. Our infrastructure is reviewed and updated regularly to maintain current security standards. Dependency vulnerabilities in third-party packages are tracked and addressed on an ongoing basis.