Security
How Graphletter handles data protection and access control.
Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Database connections use SSL.
Row-Level Security
Multi-tenant data isolation enforced at the database layer via Supabase RLS policies. Users can only access their own data.
Ephemeral Processing
Uploaded documents are processed in serverless functions and not retained beyond the assessment lifecycle. AI providers receive only extracted text, not raw files.
Authentication
Supabase OAuth (Google, GitHub) with session management. Server-side auth guards verify the user on every protected route handler and server component.
Vulnerability Disclosure
Report security issues to security@graphletter.com following SECURITY.md. We acknowledge reports within 48 hours.