Security Policy

At Cramigo, we take the security of your data seriously. This page describes the security practices, infrastructure, and safeguards we use to protect your information. Our goal is to be transparent about how we keep your data safe.

1. Infrastructure

Cramigo runs on modern, enterprise-grade infrastructure provided by industry-leading platforms:

• Vercel — Our application is hosted on Vercel's global edge network, providing fast, reliable delivery with built-in DDoS protection and automatic HTTPS.
• Supabase — Our database runs on Supabase's managed PostgreSQL service, which provides automated backups, high availability, and enterprise-grade security controls.

2. Data Encryption

• In transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. This applies to every page load, API call, and file upload.
• At rest — All data stored in our database and file storage is encrypted using AES-256 encryption, provided by Supabase and Vercel's underlying infrastructure.

3. Authentication

User authentication is managed by Supabase Auth, a production-hardened authentication system:

• Passwords are hashed using bcrypt with a high cost factor before storage. We never store plaintext passwords.
• Email verification is required for new accounts.
• Session tokens are securely managed with HTTP-only cookies and automatic rotation.

4. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of security certification in the payments industry. This means:

• Your credit card number, CVV, and billing details are processed entirely by Stripe and never touch our servers.
• We only store a Stripe customer ID and subscription status to manage your account access.
• All payment pages use Stripe's hosted checkout, which is independently audited for security compliance.

5. Access Controls

We enforce strict access controls at every level of the application:

• Row-Level Security (RLS) — PostgreSQL Row-Level Security policies enforce that users can only read and modify their own data. These policies are enforced at the database level, not just the application level.
• Admin access — Administrative operations (content management, user support) require a separate admin flag and are restricted to authorized team members.
• Service role isolation — Operations requiring elevated database access (such as content generation jobs) use an isolated service role that is never exposed to client-side code.

6. Application Security

Our application follows modern security best practices:

• Input validation — All user inputs are validated and sanitized on the server side before processing.
• CSRF protection — Next.js server actions include built-in cross-site request forgery protection.
• Secure headers — Every response includes Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security headers to guard against common web attacks.
• Rate limiting — API endpoints are rate-limited to prevent abuse and protect against automated attacks.
• Dependency management — We regularly review and update third-party dependencies to address known vulnerabilities.

7. Vulnerability Reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us privately so we can address it before it can be exploited.

Please include a detailed description of the vulnerability, the steps to reproduce it, and any potential impact. We ask that you give us reasonable time to investigate and resolve the issue before making any public disclosure.

8. Incident Response

In the event of a security incident that affects your personal data, we are committed to:

• Notifying affected users within 72 hours of confirming the breach.
• Providing a clear description of what happened, what data was involved, and what steps we are taking to address it.
• Working with our infrastructure providers to investigate the root cause and prevent recurrence.
• Reporting to applicable regulatory authorities as required by law.

9. Contact

If you have any questions about our security practices, please contact us: