Security

How we protect your data

As a compliance documentation platform, we hold ourselves to the same security standards we help our customers achieve.

Encryption

  • All data transmitted over HTTPS with TLS 1.3
  • Integration credentials encrypted at rest using AES-256
  • Database encryption at rest via Supabase (PostgreSQL)
  • Encryption keys managed separately from application data

Authentication & Access

  • Supabase Auth with email/password and Google OAuth
  • Row-level security (RLS) policies on all database tables
  • API routes protected with session-based authentication
  • Service role keys restricted to server-side operations only

Infrastructure

  • Hosted on Vercel with automatic DDoS protection
  • Database hosted on Supabase (AWS infrastructure)
  • No customer data stored on local servers or developer machines
  • Automatic HTTPS certificate management

AI Data Handling

  • Company profile data sent to Anthropic Claude API for document generation
  • Anthropic does not use API inputs to train models
  • No customer data is shared between accounts
  • Generated documents stored exclusively in your account

Integration Security

  • Third-party credentials (AWS, GitHub, Okta) encrypted at rest
  • Credentials decrypted only during scheduled compliance scans
  • Integrations can be disconnected at any time
  • Least-privilege API permissions requested for each integration

Payment Security

  • Payments processed by DodoPayments (PCI DSS compliant)
  • Credit card numbers never touch our servers
  • Subscription management via secure third-party portal

Monitoring & Incident Response

  • Daily automated compliance scans for connected integrations
  • Real-time notifications for check failures and status changes
  • Incident response procedures for security events
  • Regular dependency vulnerability scanning

Responsible Disclosure

  • Security vulnerabilities can be reported to security@poliwriter.com
  • We acknowledge reports within 48 hours
  • We aim to remediate critical issues within 7 days
  • We do not pursue legal action against good-faith security researchers

Have a security concern?

If you've found a vulnerability or have questions about our security practices, we want to hear from you.

Report a VulnerabilityContact Us