Encelade

Security

Security

Last updated: March 30, 2026

At Encelade, protecting your data is a core priority. This page describes the technical and organizational measures we employ to keep your information safe.

1. Infrastructure

  • Hosting:the Service is hosted on Vercel's global edge network with automatic failover and DDoS protection.
  • Database: application data is stored in Supabase (PostgreSQL) with automated backups, point-in-time recovery, and row-level security policies.
  • File storage: user-uploaded files are stored in Vercel Blob with per-object access control.

2. Encryption

  • In transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • At rest: database storage and backups are encrypted using AES-256. Supabase manages encryption keys through their infrastructure.

3. Authentication and Access Control

  • User authentication: powered by Supabase Auth with support for magic links and Google OAuth.
  • Session management: sessions use secure, HTTP-only cookies with automatic expiration and refresh token rotation.
  • Team access: role-based access control (RBAC) ensures team members only access resources they are authorized for.
  • Internal access: access to production systems is restricted to authorized personnel, requires multi-factor authentication, and follows the principle of least privilege.

4. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or have access to your full credit card numbers. Payment information is transmitted directly to Stripe using their client-side SDK.

5. AI Data Handling

When you use AI generation features, your input is transmitted securely to our AI providers (Anthropic, OpenAI, Google) via encrypted API connections. See our AI Terms of Use for details on how your data is handled by these providers.

  • Your content is not used for AI model training by our providers.
  • API connections use TLS encryption and authenticated API keys.
  • We maintain zero-retention API agreements where available.

6. Incident Response

We maintain an incident response process to handle security events:

  • Detection: automated monitoring and alerting for suspicious activity.
  • Response: defined escalation procedures for security incidents.
  • Notification: affected users and relevant authorities will be notified within 72 hours of confirmed data breaches, as required by GDPR and applicable law.
  • Post-incident review: root cause analysis and remediation to prevent recurrence.

7. Vulnerability Disclosure

If you discover a security vulnerability in our Service, we encourage you to report it responsibly. Please email us at security@encelade.app with a detailed description. We ask that you:

  • Give us reasonable time to investigate and address the issue before disclosing it publicly.
  • Avoid accessing or modifying data that does not belong to you.
  • Act in good faith to avoid disruption to the Service.

8. Contact

For security questions or to report an incident, contact us at security@encelade.app.