Security Policy

S2 Strategy, Inc. (“Company”) is committed to providing a robust security posture for AdviserGPT, ensuring customer data remains protected while leveraging modern, scalable cloud services. We maintain a security baseline that includes encryption, tenant isolation, daily backups, secure development practices, and continuous improvement. This policy defines those controls and the responsibilities of Company personnel and our subprocessors.

1. Introduction

AdviserGPT's cloud infrastructure is built on two primary pillars and governed by the controls in this policy:

  • Supabase for data storage, authentication (Supabase Auth), and Row-Level Security (RLS), providing secure tenant isolation and encryption.

  • Vercel for front-end hosting, offering automatic HTTPS, high-availability hosting, and immutable deployments.

By combining these cloud-native solutions with continuous security processes, AdviserGPT provides a reliable and scalable multi-tenant architecture.

2. Data Access & Tenant Isolation with Supabase

2.1 Single Supabase Instance with RLS

AdviserGPT runs on a single Supabase instance, leveraging Row-Level Security (RLS) to isolate tenant data. To harden RLS in a multi-tenant model, we implement:

  • Tenant Isolation: Each customer can only access the rows that belong to them, thanks to Supabase's granular RLS policies and configuration settings.

  • Secure Authentication: We use Supabase Auth (OIDC/OAuth2 capable) and enforce the following:

    • MFA is required for all privileged/admin accounts and supported for end users.

    • No shared accounts; least-privilege role-based access control (RBAC).

    • Session lifetimes and refresh token policies align with least privilege.

2.2 Encryption

  • At Rest: All data at rest is encrypted using industry-standard cryptography (e.g. AES-256) provided by the platform.

  • In Transit: All communication with Supabase is secured via TLS (TLS 1.2+), with HSTS enabled at the edge for AdviserGPT.

2.3 Additional Security Measures

  • Sensitive Data Handling: Access tokens and API keys are stored only in encrypted secrets stores and never logged.

  • Vulnerability Management: We scan code and dependencies on every commit/merge to main using automated SAST/Dependency tools. Patch/time-to-remediate targets: Critical < 7 days; High < 14 days; Medium < 30 days; Low < 90 days (or documented exception).

  • PII: By default, Customer Content should not contain PII. We do maintain limited Account Data PII for billing purposes (e.g. name, business email, billing/contact).

  • Access Privileges: Access follows least privilege with RBAC. Access is logged and reviewed at least quarterly.

3. Secure Hosting with Vercel

3.1 Automatic HTTPS & TLS

All front-end traffic is served over HTTPS with TLS 1.2+ and HSTS.

3.2 Immutable Deployments

Every new deployment to Vercel is immutable. Protected branches and required code reviews gate production deploys

3.3 Continuous Monitoring & Rollbacks

  • Monitoring: We collect app/infrastructure metrics and alerts for availability, error rates, auth anomalies, and suspicious access patterns.

  • Rollbacks: If a deployment introduces a security issue or bug, we can roll back immediately. Preview deployments are access-controlled to prevent exposure of sensitive features or data.

4. Logging & Audit Trails

We maintain detailed logs to enable oversight, auditing, and compliance reporting:

  • Supabase Logs: Capture database actions, user sign-ins, and data changes.

  • Front-End Logs (Vercel): Track build and deployment activities, making it easy to investigate anomalies.

  • Error & Performance Metrics: Collected through our monitoring and alerting systems, enabling real-time response to potential security threats or performance bottlenecks.

5. Data Backups & Recovery

We subscribe to the Supabase Pro Plan for robust backup capabilities and maintain the following recovery objectives:

  • Backups: Daily full backups and Point-in-Time Recovery (when available) with encryption at rest’.

  • Recovery Point Objective (RPO)/Recovery Time Objective (RTO): Target RPO < 24 hours; Target RTO < 24 hours.

6. Ongoing Security Controls

To continuously enhance our security posture, we employ:

  • Regular Patching & Updates per the vulnerability timelines in section 2.3.

  • Secure Software Development Lifecycle (SDLC): We model threats for major changes; code review required for all production changes.

  • Incident Response: Our IR plan defines severity levels, containment/eradication steps, forensics, and customer communications. For confirmed unauthorized access to Customer Content or Account Data, we notify impacted customers without undue delay.

  • Subprocessors: We maintain a current list of subprocessors (including Supabase and Vercel).

  • Compliance Statements: Subprocessor attestations (e.g. SOC 2 Type II, ISO 27001, etc.) may apply to their services.

7. Conclusion

By leveraging Supabase's multi-tenant RLS architecture and Vercel's secure hosting environment, AdviserGPT provides a robust yet flexible platform. We combine industry-standard encryption, daily backups, integrity-protected logging, access controls, and continuous testing/scanning to maintain a high level of protection for our customers' data. This policy reflects our minimum baseline and will evolve as the service and threat landscape change.

For more information on our security measures, subprocessors, or to discuss specialized requirements, please contact us at support@s2strategy.ai.

Create a free website with Framer, the website builder loved by startups, designers and agencies.