โ† automatedojo.com

Security + Trust

How we handle your data, your secrets, your customers' PII. Honest answers, including what we don't yet do.

At a glance

๐Ÿ” TLS everywhere
All traffic is HTTPS. No mixed content. HSTS preload on the apex domain.
๐Ÿ—ƒ๏ธ Encrypted at rest
Database + storage encrypted via Supabase (AES-256). Customer secrets never logged.
๐Ÿšช Tenant-isolated
Per-dojo data access guarded by 35 routes audited against a strict isolation script. No cross-tenant queries.

Where your data lives

Supabase (Postgres + storage), US East region. Vercel serverless functions, US edge regions. Resend (email), Stripe (payments), Anthropic (AI). All US-headquartered SaaS with mature security practices.

Customer data we collect

  • Account: owner name, email, phone (optional)
  • Business: dojo name, address, vertical, brand assets
  • Leads: contact info submitted on your forms (you own this)
  • Ad data: spend + impressions + clicks via OAuth (read-only access)
  • Site content: your website's text, images, structure
  • Usage: API calls, AI token usage, lead routing events

No payment card data โ€” Stripe handles that, we never see the PAN.

Integration secrets (OAuth tokens, API keys)

OAuth refresh tokens are stored in Supabase, encrypted at rest. They are never logged, never returned via the API, never included in the data export. They rotate when you cancel an integration.

We use the minimum OAuth scopes that achieve the feature. For Meta Ads: ads_management + ads_read + business_management. For Google Ads: account-level access via the manager link, no broader Google account scope.

Your customers' PII

Leads submitted through your forms are stored in our database. We treat them as your data (you're the controller; we're the processor). We don't use them for anything outside operating the platform for you.

  • Leads can be exported in full via one-click JSON download.
  • Leads can be deleted on request โ€” email us with the email address.
  • If you have customers in California or the EU, our Privacy Policy and DPA cover the legal bases.

Auth + access control

  • Customer sign-in: Supabase magic links (email-only โ€” no passwords to leak).
  • Per-route tenant isolation enforced via the canViewClientDojo guard. Audit script runs against every /api/client/[slug]/* route on every CI build.
  • Admin access is role-gated. Staff actions log to 9dm_activity_log for audit trail.
  • 2FA on admin accounts: roadmap Q3.

Compliance position

  • SOC 2: Type I evidence collection planned for Q4 2026. Type II audit Q2 2027. Most controls are already in place; the cost is the auditor + documentation effort.
  • GDPR: We act as a data processor for our customers' lead data. DPA available on request.
  • CCPA: California residents can request data export + deletion via the standard channel (email).
  • HIPAA: We do not handle PHI and our platform should not be used to store health information.

Disclosure + incident response

If we identify a security issue affecting your data, we'll notify you within 72 hours of confirmation, with what happened, what data was involved, and what we're doing about it. We'll post incidents to the platform status page.

Found a vulnerability? Email kenny@hyder.me with details. We don't have a bug bounty yet but we respond to disclosure within 48 hours and won't pursue legal action against good-faith security research.

What we don't do yet (honest)

  • 2FA on staff or admin accounts (Q3 roadmap)
  • SAML SSO (we're too small to support it; if you need it for a franchise rollout, email us)
  • Field-level encryption beyond what Supabase provides natively
  • HIPAA BAA / PHI handling
  • SOC 2 audit (Q4 prep, Q2 2027 Type II)