Security Overview

Security is foundational to everything we do at Inbounder. We know that your data — your client information, brand voice profiles, and generated content — is sensitive and valuable. This overview describes the security measures we have in place to protect it.

Infrastructure Security

Hosting & Data Centers

Inbounder is hosted on Vercel and uses Supabase for database infrastructure. Both providers maintain industry-leading security practices:

• SOC 2 Type II certified infrastructure
• Physical security controls at data center facilities
• Redundant systems with automatic failover
• Regular third-party security audits

Network Security

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• DDoS protection: We use Vercel's built-in DDoS mitigation to protect against distributed denial-of-service attacks
• Firewall rules: Strict firewall configurations limit access to only necessary ports and services

Data Security

Encryption

• In transit: All connections are secured with TLS 1.3 encryption
• At rest: Database backups are encrypted using AES-256
• Sensitive fields: API keys and other sensitive data are encrypted before storage

Data Isolation

Each customer's data is logically isolated using row-level security policies. This means that even if there were a bug in our application code, one customer's data cannot be accessed by another customer.

Backups

• Automated daily backups with point-in-time recovery
• Backups are stored in geographically separate locations
• Regular backup restoration testing
• 60-day backup retention

Application Security

Authentication

We use Clerk for authentication, which provides:

• Secure password hashing using bcrypt
• Multi-factor authentication (MFA) support
• Protection against brute force attacks
• Session management with secure, httpOnly cookies
• OAuth integration with major identity providers

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or have access to your full credit card numbers. Payment information is transmitted directly from your browser to Stripe's servers.

Secure Development

• Code review required for all changes
• Automated security scanning in CI/CD pipeline
• Dependency vulnerability monitoring
• Input validation and output encoding to prevent injection attacks
• CSRF protection on all state-changing operations

AI Security

Third-Party AI Providers

We use leading AI providers (OpenAI, Anthropic) for content generation. When using these services:

• No training on your data: We have agreements with our AI providers that your data will not be used to train their models
• Encrypted transmission: All data sent to AI providers is encrypted in transit
• Data minimization: We only send the minimum data necessary to generate your requested content
• No persistent storage: AI providers do not retain your content after processing

Operational Security

Access Control

• Principle of least privilege: team members only have access to systems they need
• All administrative access requires multi-factor authentication
• Access reviews conducted regularly
• Immediate access revocation upon role change or departure

Monitoring & Logging

• Comprehensive logging of security-relevant events
• Real-time alerting for suspicious activity
• Log retention for security analysis and compliance
• Regular review of access patterns and anomalies

Incident Response

We have documented incident response procedures that include detection, containment, eradication, recovery, and post-incident analysis. In the event of a security incident that affects your data, we will notify you promptly in accordance with applicable laws.

Your Responsibilities

Security is a shared responsibility. Here's what you can do to help protect your account:

• Use a strong, unique password for your Inbounder account
• Enable multi-factor authentication when available
• Don't share your login credentials with others
• Keep your devices and browsers updated
• Review account activity regularly
• Report any suspicious activity to us immediately

Reporting Security Issues

If you discover a security vulnerability in Inbounder, please report it to us at security@getinbounder.com. We appreciate responsible disclosure and will work with you to address any issues promptly. We do not currently offer a bug bounty program, but we will publicly acknowledge your contribution if you wish.

Questions

If you have questions about our security practices, please contact us at security@getinbounder.com.