Security at PrivaBase

We build privacy compliance tools โ€” so security isn't just a feature, it's our foundation. Here's how we protect your data.

๐Ÿ”Encryption

  • TLS 1.3 for all data in transit (HTTPS everywhere)
  • AES-256-GCM encryption for sensitive fields at rest
  • SHA-256 hashed tokens (password reset, API keys, sessions)
  • Database-level encryption via Supabase (AWS encryption at rest)

๐Ÿ—๏ธInfrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Database on Supabase (SOC 2 Type II, HIPAA compliant)
  • US-East region (Virginia) for primary infrastructure
  • Automatic failover and redundancy
  • No customer data stored on local machines or development environments

๐Ÿ”‘Authentication & Access

  • JWT-based authentication with 30-minute access tokens
  • Refresh token rotation with 30-day expiry
  • Email verification required on signup
  • Rate limiting on all endpoints (100/min general, 10/min auth)
  • API key authentication with scoped permissions
  • CORS restricted to privabase.com subdomains only

๐Ÿ›ก๏ธApplication Security

  • Input validation and sanitization on all endpoints
  • UUID parameter validation middleware
  • SQL injection prevention via parameterized queries
  • XSS protection through React's built-in escaping
  • CSRF protection on all state-changing operations
  • Security headers (Strict-Transport-Security, X-Content-Type-Options, etc.)

๐Ÿ“‹Compliance

  • GDPR compliant โ€” cookie consent, DSAR support, data minimization
  • CCPA compliant โ€” opt-out support, data access/deletion requests
  • HIPAA considerations for healthcare customers (BAA available)
  • SOC 2 Type II controls implemented (self-assessed)
  • Regular security audits and vulnerability assessments

๐Ÿ‘๏ธMonitoring & Incident Response

  • Continuous monitoring of all API endpoints
  • Automated alerting on anomalous activity
  • Audit logging for all data access and administrative actions
  • Incident response plan with 24-hour notification commitment
  • Regular backup testing and disaster recovery procedures

๐Ÿ”’Data Handling

  • Data minimization โ€” we only collect what's necessary
  • No selling of customer data to third parties, ever
  • Customer data isolation โ€” each account's data is logically separated
  • Data retention policies aligned with applicable regulations
  • Right to deletion supported โ€” data is permanently purged on request

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure. Please email us with details and we'll respond within 24 hours.

security@privabase.com

Last security audit: February 12, 2026 ยท Next scheduled audit: May 2026

Questions? Contact us ยทSubmit a data request