01
Security
Encryption
Data in TransitTLS 1.3 on all connections
Data at RestAES-256 for all stored data
Payment DataNever stored — processed entirely by Stripe
Authentication & Identity
Sign-in methodsEmail/password (bcrypt hashing), OAuth via Google and GitHub
Multi-Factor AuthTOTP-based 2FA — Google Authenticator, Authy
Session ManagementJWT tokens with automatic expiration and secure cookie storage
Domain DiscoveryB2B users matched to their org before login; unauthorized domains blocked
Access Control
Row-Level SecurityDatabase-level RLS — users only access their own data
Role-Based AccessGranular permissions for team members and admins
API SecurityRate limiting and request validation on all endpoints
Application Security
Input ValidationSanitization and parameterized queries — SQL injection prevention
XSS & CSRFContent Security Policy headers, CSRF protection on state-changing ops
Monitoring
AlertingReal-time detection of suspicious activity
Audit LoggingComprehensive logs across all critical operations
Incident ResponseDocumented procedures; security reports acknowledged within 48h
02
Privacy
Data collectionOnly what is necessary to run the platform
Data sharingNever sold or shared with third parties for advertising
PaymentsProcessed by Stripe — we never store card data
Robotics dataYour project data is isolated and private by default
DeletionFull data deletion on account closure, upon request
03
Compliance
GDPREU data protection requirements met
CCPACalifornia Consumer Privacy Act compliance
SOC 2 Type IIVia Supabase — our primary data infrastructure
PCI DSS Level 1Payment security via Stripe
04
Infrastructure
HostingVercel — global edge network with automatic DDoS protection
Database & AuthSupabase — SOC 2 Type II certified
PaymentsStripe — PCI DSS Level 1 certified
AvailabilityMulti-region redundancy for high availability
BackupsAutomated daily backups with point-in-time recovery
05
Your Role in Security
Security is a shared responsibility. Here is what you can do to keep your account and your team's data safe.
PasswordUse a strong, unique password for your account
MFAEnable 2FA when available for your organization
CredentialsKeep your login credentials confidential
IncidentsReport any suspicious activity to security@nodeably.com immediately
06
Responsible Disclosure
Found a security issue? We take every report seriously and commit to responding within 48 hours. Please do not publicly disclose the vulnerability until we have had time to address it.
Report security vulnerabilities
Email: security@nodeably.com