Security

This page describes the security baseline Crestento operates under. We’re a small SaaS, not a Fortune-500 enterprise platform — so we’re explicit about both what we do and what we don’t.

Transport and storage encryption

• HTTPS only — TLS 1.2+ enforced on every endpoint.
• Database encryption at rest (Supabase / Postgres + AWS-managed encryption keys).
• Stored secrets (API keys, OAuth tokens, webhook signing secrets) encrypted at rest in our hosting provider’s vault and accessible only to authorised runtime processes.

Authentication and access control

• Customer authentication via passwordless magic links (no password to leak); session tokens issued by Supabase Auth.
• Row-Level Security (RLS) on every customer-data table. Members can only read or write rows belonging to their own org. The application enforces this via Postgres policies, not just application code.
• Internal accounts (Lemon Squeezy, Supabase, Anthropic, Vercel, GitHub, Brevo, Wise, domain registrar) protected by 2FA on the operator’s accounts.

Application security

• Input validation on every API endpoint via the zod schema validator — type, length, and shape checks before any database write.
• Per-user rate limits on the AI draft endpoint (5 requests / minute, 30 / hour) to deter abuse and protect AI cost margin.
• Payment webhooks (Lemon Squeezy) verified with HMAC-SHA256 signature using the endpoint signing secret — forged events cannot grant paid access.
• AI provider API keys held server-side only. They are never exposed to client browsers.
• File uploads are limited to PDF, DOCX, and plain-text files (up to 3 attachments per review, 5 MB each). On upload we extract the text content and cap it at ~8 KB per file before including it in the AI prompt. We don’t retain the original file binaries.

Data handling for AI

• Our AI provider (Anthropic) does not train models on customer prompts or outputs sent through the API. Per Anthropic’s standard API terms, prompts and outputs are retained on their side for up to 30 days for trust & safety review and then deleted, and longer only if flagged for policy review or required by law.
• We log aggregate AI usage telemetry per call (token counts, cost, latency, model id) for capacity planning and abuse detection. We do not maintain a separate analytics store of the prompt text or response text — your draft prose lives only on the reviews row associated with your account.
• Our database (Supabase Postgres) is encrypted at rest by the hosting provider. We don’t add application-level encryption on top of that, so authorised Crestentopersonnel can read review content when operationally necessary (see the “What we can see and store” section in our Terms).
• Reference documents you attach are extracted to plain text and stored alongside the review’s structured input. We do not retain the original file binaries.

Backups and continuity

• Daily automated backups of the Postgres database, retained by our hosting provider for 7 days. We do not currently offer point-in-time recovery; PITR becomes available once we move to a paid Supabase plan, which is on the roadmap as customer demand justifies the cost.
• Application code is version-controlled on GitHub; releases are immutable Vercel deployments, with one-click rollback to any recent deploy.

Incident response

We monitor application errors via our error-monitoring provider. In the event of a security incident affecting customer data, we will notify affected customers without undue delay and in any event within 72 hours, in accordance with our Data Processing Agreement.

What we are not (yet)

We are honest about scope. Crestento is currently:

• Not SOC 2 Type 1 or Type 2 certified.
• Not ISO 27001 certified.
• Not HIPAA-compliant (do not enter PHI into the service).

These are on the roadmap as customer demand justifies the audit cost. Customers requiring formal certification before signing should contact us — we can usually share design documents for the controls listed above to support a vendor risk review.

Reporting a vulnerability

Found a security issue? Please email the support address on your billing receipt with details. We respond to security reports within one business day. We don’t currently run a paid bug bounty but we publicly thank responsible reporters.