Security

Martech Stack Builder handles sensitive vendor evaluation data, procurement workflows, and team collaboration for enterprise organizations. We take the security of your data seriously. This page describes our security practices and the infrastructure that protects your information.

Data Protection

• Encryption at rest: All data is stored in Supabase PostgreSQL with AES-256 encryption at rest.
• Encryption in transit: All connections use TLS 1.2+ (HTTPS). No data is transmitted in plain text.
• Data residency: All application data is stored in the EU (eu-north-1, Stockholm) via Supabase.
• Backups: Supabase provides automated daily backups with point-in-time recovery.
• Data isolation: Team data is isolated using PostgreSQL Row-Level Security (RLS) policies on every table. Users can only access data they are authorized to see.

Authentication

• Passwordless login: Magic link email authentication via Supabase Auth — no passwords to leak or brute-force.
• OAuth: Google OAuth 2.0 for social sign-in.
• Two-factor authentication: TOTP-based MFA (Google Authenticator, Authy, 1Password). Available for all users; enforceable at the team level on Enterprise plans.
• Session management: JWT-based sessions with automatic token rotation and short-lived access tokens. MFA-enabled accounts require 2FA verification on each login.

Authorization

• Role-based access control: Four team roles (Owner, Admin, Editor, Viewer) with granular permissions enforced at the database level via RLS.
• Team-scoped data: Diagrams, proposals, RFI data, and collaboration features are scoped to the team workspace. RLS policies prevent cross-team data access.
• Share links: Optional password protection and expiration dates for externally shared diagrams.

Audit Logging

• Team activity log: Workspace owners and admins can view a real-time audit trail of team actions — member changes, role updates, sharing events, and more.
• Retention: Up to 365-day audit log retention on Enterprise plans.
• Export: CSV export of audit events for compliance reporting (Enterprise).
• Immutable records: Audit events include denormalized actor information that persists even after user deletion.

Infrastructure

• Hosting: Docker containers on Coolify with nginx Alpine reverse proxy.
• HTTPS: All traffic encrypted via TLS 1.2+. HSTS enabled with 1-year max-age.
• Security headers: HTTP Strict Transport Security (HSTS), X-Content-Type-Options, X-Frame-Options, and frame-ancestors CSP configured in nginx.
• Input sanitization: DOMPurify for user-generated content, parameterized queries for all database operations (no SQL injection risk).

Development Security

• CI/CD pipeline: GitHub Actions runs TypeScript type checking, ESLint, unit tests, and security audits on every pull request.
• Dependency scanning: Dependabot monitors dependencies for known vulnerabilities weekly.
• Code quality: Strict TypeScript (no any), mandatory pre-commit checks, automated linting.
• Secret management: Environment variables stored securely, never committed to version control.

Vendor Certifications

Our infrastructure providers maintain industry-standard certifications:

Account Security

• Two-factor authentication (2FA): TOTP-based MFA available for all users via Settings > Security. Works with Google Authenticator, Authy, 1Password, and any TOTP-compatible app. Works alongside Google SSO.
• Team MFA enforcement: Enterprise team admins can require all members to enable 2FA before accessing the workspace. Members without 2FA are blocked until they enroll.
• Session verification: When MFA is enabled, each login session requires a fresh 2FA verification before granting access.

Contract & Document Security

When you upload vendor contracts, SLAs, DPAs, and Master Service Agreements to your workspace, your documents are protected with multiple layers of security at every stage of the lifecycle.

Upload & Storage

• Encrypted transit: Files are transmitted over TLS 1.2+ to a private storage bucket.
• Encrypted at rest: Supabase Storage uses AES-256 disk-level encryption for all stored files.
• Access control: Row-Level Security (RLS) policies enforce that only workspace members with editor permissions can upload, view, or delete documents. Other workspaces cannot access your files — even at the database level.
• Short-lived downloads: File downloads use signed URLs that expire after 5 minutes. No permanent public URLs are created.

Application-Level Encryption

Beyond standard disk encryption, contract text receives an additional layer of application-level encryption using per-workspace keys:

• Per-workspace encryption keys: Each workspace has its own AES-256 symmetric encryption key stored in Supabase Vault (a hardware-secured key management system). One workspace's key cannot decrypt another workspace's data.
• Encrypted columns: Full document text, extracted key terms, and semantic search chunks are encrypted at the application layer before being written to the database. A database administrator sees encrypted binary data, not your contract terms.
• Server-side decryption: Encryption and decryption happen inside PostgreSQL using pgcrypto — keys never leave the database server and are never exposed to the browser or API layer.
• Structured metadata: Derived values (e.g., annual contract value, renewal date, uptime guarantee percentage) are stored unencrypted to enable sorting, filtering, and dashboard views. These are summary fields — the original legal language they were derived from is encrypted.

Smart Extraction

• Isolated pipeline: Document text is processed server-side through a secure extraction pipeline. The pipeline identifies key contract terms (pricing, SLA commitments, DPA clauses, termination terms) and returns structured data.
• No cross-user data: Each extraction runs in isolation. Your document text is never mixed with data from other users or used to train AI models.
• Webhook authentication: The extraction service validates requests using a shared secret header to prevent unauthorized calls.

Semantic Search & AI Chat

• Vector embeddings: Document text is converted into mathematical vector representations (1536-dimensional arrays) for semantic search. These embeddings enable natural language queries like "What's our uptime guarantee?" but cannot be practically reversed into the original text.
• Ownership-scoped search: The search function verifies workspace ownership before returning any results. A user can only search documents they have access to.
• AI-powered answers with citations: When you ask the Research Assistant a question about your contracts, relevant document excerpts are sent to the AI provider (OpenAI) over an encrypted connection. The AI generates an answer with inline citations that trace back to specific contract clauses. You are prompted for consent before contract data is processed by AI.
• No model training: Contract data sent to OpenAI is processed under their API terms, which prohibit using customer data for model training. Data is not retained after processing.

Audit & Compliance

• Full audit trail: All document operations — upload, extraction, confirmation, indexing, deletion — are logged in the workspace audit log with actor identity, timestamp, and event metadata.
• Cascading deletion: When a document is deleted, all associated data (encrypted text, extracted metadata, vector embeddings, search chunks) is permanently removed via cascading database constraints.
• Enterprise features: 365-day audit retention, CSV export of audit events, and team-wide MFA enforcement are available on Enterprise plans.

AI Data Processing

Martech Stack Builder uses AI to power several features. Here's exactly what data is processed and how:

All AI providers process data under API terms that prohibit using customer data for model training. Data is transmitted over encrypted connections and is not retained after processing.

AI Security Controls

All content entering the AI pipeline passes through multiple security layers to prevent prompt injection, content manipulation, and unauthorized data exposure:

• Content sanitization: Contract text, user questions, and conversation history are sanitized at every stage — extraction, embedding, storage, and retrieval. Injection patterns are detected and filtered before reaching the AI model.
• Injection scoring: Retrieved document chunks are scored for injection risk. High-risk content is excluded from AI context automatically, preventing stored attacks via uploaded documents.
• Relevance thresholds: Semantic search enforces minimum similarity scores, ensuring only genuinely relevant contract sections are included in AI responses.
• Server-side validation: Conversation history is validated server-side. Only user and assistant messages are accepted — system-level messages cannot be injected from the client.
• Token budget enforcement: Total context size is monitored and capped to prevent context overflow and cost-based attacks.
• Secure gateway: All AI requests route through a server-side gateway that verifies authentication, enforces tier limits, and prevents client-side spoofing of user identity or subscription level.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@martechstackbuilder.com.

• We acknowledge reports within 48 hours.
• We triage and assess within 7 days.
• We do not take legal action against good-faith security researchers.

For full details, contact us at security@martechstackbuilder.com.

Questions?

If you have questions about our security practices or need to complete a security questionnaire for procurement, contact us at security@martechstackbuilder.com.