Security Practices

1. Encryption

In Transit

• All traffic is encrypted with TLS 1.2+ (HTTPS enforced).
• HTTP Strict Transport Security (HSTS) headers are applied.
• API calls to all connected marketplace and integration APIs use TLS exclusively.

At Rest

• Database storage is AES-256 encrypted at rest (Supabase / PostgreSQL on AWS infrastructure).
• OAuth tokens and platform credentials are stored encrypted in the database.
• Backups are encrypted using the same standard.

2. Authentication & Access Control

• User authentication via Supabase Auth with email/password and secure session tokens.
• Platform integrations use OAuth 2.0 with scoped, least-privilege access.
• All API routes enforce authentication and authorization checks.
• Production infrastructure uses SSH key-only access — no password authentication.
• Principle of least privilege applied to all service accounts and API keys.

3. Network Security

• Production application hosted on Vercel — DDoS protection, edge caching, and automatic TLS.
• Database hosted on Supabase (AWS EU-West-1, Ireland) — network-isolated, not publicly accessible except via authenticated API.
• Webhook payloads verified via HMAC-SHA256 signatures.

4. Data Handling & Segregation

• Each merchant's data is logically segregated by user ID and enforced via Row-Level Security (RLS) in PostgreSQL.
• We do not store end-customer personal data (buyer PII) from connected stores.
• No payment card data is stored — all billing processed by Stripe (PCI DSS Level 1).
• Data classification: OAuth tokens treated as secrets; product/inventory data treated as confidential business data.

5. Endpoint & Application Security

• Input validation and sanitization on all API endpoints.
• CSRF protection via SameSite cookies and origin verification.
• Content Security Policy (CSP) headers configured.
• Dependencies audited regularly via npm audit and automated vulnerability scanning.

6. Incident Response

1. Detection — Monitoring and alerting for anomalous access patterns.
2. Containment — Immediate token revocation and access isolation.
3. Notification — Affected users, platform partners, and regulators notified within 72 hours (per GDPR Article 33).
4. Resolution — Root cause analysis, remediation, and post-incident report.

7. Vulnerability Management

• Dependencies and base images kept up to date.
• Automated security scanning in CI/CD pipeline.
• Responsible disclosure: security issues can be reported to security@brik.consulting.

8. Compliance & Certifications

brik.consulting is an early-stage company. We do not currently hold ISO 27001 or SOC 2 certifications. We comply with the GDPR (EU) and CCPA (California) frameworks, and our infrastructure providers maintain the following certifications:

• Supabase / AWS — SOC 2 Type II, ISO 27001, GDPR compliant
• Vercel — SOC 2 Type II
• Stripe — PCI DSS Level 1

9. Data Deletion & End-of-Contract

Upon termination of a customer relationship or at the request of a platform partner, all collected data is deleted within 30 days. OAuth tokens are revoked immediately upon disconnection.

10. Contact

For security questions or to report a vulnerability:
security@brik.consulting