Security

Our Security Commitment

Protecting your data is fundamental to everything we build at FAQai.app. We implement multiple layers of security across our infrastructure, application, and processes to ensure your documents and personal information remain safe.

Infrastructure Security

Hosted on Vercel's edge network with built-in DDoS protection and global load balancing.
Supabase database with encryption at rest using AES-256, the industry standard for data protection.
All data transmitted over TLS 1.2 or higher, ensuring end-to-end encryption in transit.

Application Security

Row Level Security (RLS) enforced on all database tables, ensuring users can only access their own data.
Server-side authentication verification on all API routes, preventing unauthorised access.
Input validation and sanitisation on all user-submitted data to protect against injection attacks.
No storage of raw passwords - authentication is handled securely by Supabase Auth with industry-standard hashing.

Data Security

Documents stored in encrypted Supabase Storage with access policies enforced at the storage layer.
Files are isolated per user with strict access policies - no user can access another user's documents.
AI processing: documents are sent to AI providers (OpenRouter, OpenAI) solely for RAG dataset generation. Content is not stored by these providers and is not used for model training.

Access Control

OAuth 2.0 via Google for passwordless sign-in - no password storage required.
Email and password authentication with secure hashing via Supabase Auth.
Session management via HTTP-only cookies, protecting against cross-site scripting (XSS) attacks.

Compliance

GDPR compliant - see our GDPR Compliance page for details.
CCPA compliant for California residents.
Regular security reviews to identify and address potential vulnerabilities.

Responsible Disclosure

If you discover a security vulnerability in FAQai.app, we encourage you to report it responsibly. Please email security@faqai.app with details of the issue. We take all reports seriously and will respond promptly to investigate and address any confirmed vulnerabilities.

Contact

For security-related enquiries, contact us at security@faqai.app or call +44 7778 208203.

Last updated: February 2026

Application Security

Row Level Security (RLS) enforced on all database tables, ensuring users can only access their own data.

Server-side authentication verification on all API routes, preventing unauthorised access.

Input validation and sanitisation on all user-submitted data to protect against injection attacks.

No storage of raw passwords - authentication is handled securely by Supabase Auth with industry-standard hashing.

Data Security

Documents stored in encrypted Supabase Storage with access policies enforced at the storage layer.

Files are isolated per user with strict access policies - no user can access another user's documents.

AI processing: documents are sent to AI providers (OpenRouter, OpenAI) solely for RAG dataset generation. Content is not stored by these providers and is not used for model training.