Security at Proposera

Encryption

All traffic between your browser and Proposera is encrypted with TLS 1.3. Data at rest in the Proposera database (managed by Supabase on AWS) and in file storage is encrypted with AES-256. Backups carry the same encryption posture and are managed by the underlying infrastructure providers.

Authentication

Authentication is handled by Supabase Auth, which supports email-and-password sign-in and Google OAuth. Passwords are never stored in plaintext — Supabase hashes them with bcrypt before persistence. Session tokens are short-lived and refreshed via httpOnly cookies that the browser cannot read from JavaScript.

Per-organization data isolation

Every table that holds organization-scoped data — proposals, RFPs, company documents, credit usage, invitations, audit entries — is protected by Postgres row-level security (RLS) policies that gate access to members of the owning organization. A user authenticated as a member of one organization cannot read or modify data belonging to any other organization, even if they construct the request by hand. RLS is enforced at the database layer; it cannot be bypassed by application bugs.

Server actions that need to bypass RLS (for billing webhooks, cron jobs, and similar trusted paths) use a separate service-role key, scoped to specific server-only modules and never exposed to the browser.

Role-based access control

Each organization has three roles — Owner, Admin, and Member — with progressively narrower permissions. Owners can change billing, transfer ownership, and remove anyone. Admins can manage team members and invitations except for the owner. Members can use the AI features for proposals and RFPs but cannot change billing or remove other members. Role checks run on the server for every mutation; client-side hiding of buttons is a UX courtesy, not the trust boundary.

Infrastructure

Proposera runs on a small number of vetted providers:

• Supabase hosts the Postgres database, authentication, and file storage. SOC 2 Type II certified.
• Vercel hosts the application, edge functions, and serverless runtime. SOC 2 Type II certified.
• Stripe processes payments. PCI DSS Level 1 certified.
• Anthropic serves the Claude AI models that power proposal generation. SOC 2 Type II certified.
• Inngest orchestrates background jobs and crons. SOC 2 Type II certified.
• Sentry handles application error monitoring. SOC 2 Type II certified.
• Resend delivers transactional email.

Secrets and credentials

API keys and other secrets live in Vercel environment variables and are never committed to the source code. Local development uses an .env.local file that is git-ignored. Webhook payloads from Stripe and Inngest are signature-verified before processing.

AI safety

Prompts to Claude include only the proposal, RFP, and company-profile data needed for the current task; we do not send unrelated organization data. Per Anthropic's commercial terms, content sent through the API is not used to train models. Outputs are returned to the requesting organization only, never aggregated or shared across accounts.

Logging and audit

Every credit-spending action writes an immutable ledger entry with the actor, action type, and timestamp. Billing events from Stripe land in our subscriptions table via signature-verified webhooks. Application errors flow into Sentry with stack traces and limited contextual data. Operational server logs are retained for 30 days.

Compliance posture

Proposera is GDPR- and CCPA-aware: our Privacy Policy lists the data we collect and the rights you can exercise. Our underlying infrastructure providers are independently certified at SOC 2 Type II (see Infrastructure above). Proposera is not currently SOC 2 certified at the application layer; we expect to pursue certification once we are out of v1.

Responsible disclosure

If you believe you've found a security vulnerability in Proposera, please report it to security@proposera.app. Please don't test against production data belonging to other organizations — set up a free trial account and test against that. We will acknowledge your report within two business days and work with you on a coordinated disclosure.

Incident response

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of confirming the impact, in line with GDPR Article 33 guidance. Notifications will describe the scope, the data involved, the steps we are taking to remediate, and any action we recommend you take.