Security

What we do

Security at OpenScouter covers four areas: encryption and data handling, access control, infrastructure, and operational security. Every layer has been designed to meet the standards enterprise procurement teams and data protection officers expect.

Encryption and data handling

• AES-256 encryption at rest — All data stored on our Supabase infrastructure is encrypted at rest using AES-256, the same standard used by UK financial institutions. All data in transit is protected via TLS. Scheduled backups are also encrypted at rest.
• No raw biometric storage — Webcam video is processed locally by the DeepFace microservice and discarded immediately. Only derived emotion scores are transmitted and stored. No audio recordings are retained; only text transcripts from the browser's Web Speech API.
• Ephemeral session tokens — Session tokens are 24-hour hex tokens that expire automatically. They are scoped to a single test session and cannot be reused.
• Encrypted client credentials — Test account credentials for authenticated site captures are encrypted at rest and never transmitted to testers or stored in captured archives.

Access control

• Row-Level Security on every table — Every database table has RLS policies. No API route relies on frontend-only access control. Users can only access their own data, enforced at the database layer.
• Four authentication layers — (1) Supabase JWT for dashboard users, (2) 24-hour session tokens for extension-to-API communication, (3) Bearer tokens for internal server-to-server calls, (4) Admin check with RLS bypass for administrative operations. Each layer has a documented implementation pattern and is enforced on every relevant route.
• All admin routes gated — Every admin operation requires passing requireAdmin(), which validates the user's role before granting access to RLS-bypass clients.

Infrastructure

• Vercel (SOC 2 Type II) — Platform hosted on Vercel with automatic HTTPS, global CDN, and SOC 2 Type II certification.
• Supabase (SOC 2 Type II) — Database hosted on Supabase with SOC 2 Type II certification, AES-256 encryption, and region-specific data residency. EU projects keep data in the EU.
• DeepFace on Railway — Emotion analysis microservice runs in a containerised, isolated network environment on Railway.
• Honest note on SOC 2 — OpenScouter relies on infrastructure provider certifications (Supabase and Vercel). We do not yet hold a standalone platform-level SOC 2 certification. If this is a procurement requirement, we can discuss your specific needs.

Operational security

• Webhook signature verification — All inbound webhooks (Stripe, Resend) verify cryptographic signatures before processing. Resend uses Svix HMAC-SHA256 verification.
• Arcjet distributed rate limiting — AI-facing endpoints (chatbot, audit scanner, lead capture) are protected by Arcjet rate limiting. Unlike in-memory rate limiters, Arcjet works correctly on serverless infrastructure where state does not persist between cold starts.
• Injection prevention — SQL ilike injection is prevented via an escapeIlike() utility applied across all admin search routes. HTML rendering uses DOMPurify sanitisation.
• Bearer token hardening — Token extraction uses prefix validation and slicing, not string replacement, to prevent prefix manipulation attacks.

For details on what personal data we collect and how long we keep it, see our Privacy Policy.

OpenScouter is implementing technical controls and policy documentation required for SOC 2 Type II certification, targeting Security, Confidentiality, and Availability Trust Service Criteria. The formal audit with a CPA firm follows after controls are validated.

Controls implemented

• Comprehensive audit logging for authentication and authorization events
• AES-256-GCM encryption at rest for sensitive data
• TLS 1.2+ encryption in transit (HSTS enforced)
• Row-level security on all database tables
• Automated dependency vulnerability scanning in CI
• 24/7 uptime monitoring with AI-powered incident diagnosis
• Formal incident response plan with severity classification
• GDPR Article 9 compliant ND health data handling

Target timeline: Formal audit engagement Q3 2026