Skip to content
PrivaBaseBetaLog In

Security at PrivaBase

We build privacy compliance tools — so security isn't just a feature, it's our foundation. Here's how we protect your data.

Encryption

  • TLS 1.3 for all data in transit (HTTPS everywhere)
  • AES-256-GCM encryption for sensitive fields at rest
  • SHA-256 hashed tokens (password reset, API keys, sessions)
  • Database-level encryption via Supabase (AWS encryption at rest)

Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Database on Supabase (SOC 2 Type II, HIPAA compliant)
  • US-East region (Virginia) for primary infrastructure
  • Automatic failover and redundancy
  • No customer data stored on local machines or development environments

Authentication & Access

  • JWT-based authentication with 30-minute access tokens
  • Refresh token rotation with 30-day expiry
  • Email verification required on signup
  • Rate limiting on all endpoints (100/min general, 10/min auth)
  • API key authentication with scoped permissions
  • CORS restricted to privabase.com subdomains only

Application Security

  • Input validation and sanitization on all endpoints
  • UUID parameter validation middleware
  • SQL injection prevention via parameterized queries
  • XSS protection through React's built-in escaping
  • CSRF protection on all state-changing operations
  • Security headers (Strict-Transport-Security, X-Content-Type-Options, etc.)

Compliance

  • GDPR compliant — cookie consent, DSAR support, data minimization
  • CCPA compliant — opt-out support, data access/deletion requests
  • HIPAA considerations for healthcare customers (BAA available)
  • SOC 2 Type II controls implemented (self-assessed)
  • Regular security audits and vulnerability assessments

Monitoring & Incident Response

  • Continuous monitoring of all API endpoints
  • Automated alerting on anomalous activity
  • Audit logging for all data access and administrative actions
  • Incident response plan with 24-hour notification commitment
  • Regular backup testing and disaster recovery procedures

Data Handling

  • Data minimization — we only collect what's necessary
  • No selling of customer data to third parties, ever
  • Customer data isolation — each account's data is logically separated
  • Data retention policies aligned with applicable regulations
  • Right to deletion supported — data is permanently purged on request

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure. Please email us with details and we'll respond within 24 hours.

security@privabase.com

Last security audit: February 12, 2026 · Next scheduled audit: May 2026

Questions? Contact us ·Submit a data request

PrivaBaseBeta

Automated privacy compliance for modern teams.

Product

  • Features
  • Pricing
  • Privacy Policy Generator
  • Compare

Resources

  • GDPR Guide
  • HIPAA Guide
  • CCPA Guide
  • UK GDPR Guide
  • Privacy Glossary
  • Blog

Legal

  • Terms of Service
  • Privacy Policy
  • Your Privacy Choices
  • Do Not Sell My Personal Information
  • Cookie Policy
  • DPA
  • Subprocessors

Company

  • Security
  • Data Requests
  • Accessibility
  • Contact
  • API Docs
  • Status

Your Privacy Rights

You have the right to know what personal data we collect, request its deletion, opt out of data sales or sharing, and exercise these rights without discrimination. To submit a privacy request, email privacy@privabase.com or visit our Data Request page.

Data Protection Officer

For GDPR inquiries or data protection concerns, contact our DPO at dpo@privabase.com. Spoon Seller LLC · 110 Coliseum Crossing #5392, Hampton, VA 23666

© 2026 Spoon Seller LLC. All rights reserved.
TermsPrivacyDo Not Sell My InfoData Requests