Security

Built to keep your data safe

Q: How do I report a vulnerability?

Please email security@appaca.ai with a description of the issue. We will respond within 48 hours and work with you to address the finding responsibly.

Security is not an afterthought at Appaca. We design our infrastructure, application, and data practices with your protection in mind.

Get AI workspace for your team

Encrypted in transit and at rest

All data is encrypted using TLS in transit and AES-256 at rest.

Managed authentication

Authentication is handled by Supabase with industry-standard secure practices.

Your data stays yours

We never sell your data or use it to train AI models.

Continuous monitoring

We actively monitor for suspicious activity across our infrastructure.

Infrastructure

Secure by design

Our infrastructure is built on enterprise-grade cloud services with multiple layers of protection.

Cloud infrastructure

Appaca is hosted on reliable, enterprise-grade cloud infrastructure. We leverage managed services with built-in redundancy and failover to maximise availability.

Encryption at rest

All customer data stored in our databases is encrypted at rest using AES-256 encryption, protecting your information even if physical storage is compromised.

Encryption in transit

All communication between your browser and Appaca is protected by TLS 1.2 or higher, ensuring your data cannot be intercepted in transit.

Database security

Our database infrastructure is managed through Supabase, with row-level security policies ensuring strict data isolation between customers.

Application

Application security

Every layer of the Appaca application is built with security controls to protect your account and data.

Authentication

User authentication is managed by Supabase Auth, supporting secure email/password login and OAuth providers with session token management.

Least privilege access

Internal access to customer data is restricted on a need-to-know basis. Our team members can only access systems relevant to their role.

Secure payment processing

All payment data is handled exclusively by Stripe. Appaca never stores credit card details - they go directly to Stripe's PCI-compliant infrastructure.

Dependency management

We regularly update dependencies and monitor for known vulnerabilities in our application stack to reduce exposure to security issues.

Data & Privacy

Your data, your rules

We process your data to run the Service - nothing more. We never sell it or use it to train models.

No AI training on your data

We do not use your content or data to train AI models. Your data is processed to deliver the Service and nothing else.

AI provider isolation

Appaca does not send your personal information to AI providers. For customer-built applications, customers are solely responsible for the data they pass to AI providers.

Analytics and tracking

We use PostHog, Google Analytics, and Meta Pixel to understand how our product is used. This data is non-personal and used solely to improve the Service.

Data deletion

When you request account deletion, your personal data is removed from our active systems within 30 days. See our Privacy Policy for full details.

AI providers we work with

Appaca integrates with leading AI providers to power the platform. These providers are selected for their security and privacy commitments.

OpenAI Anthropic Google Replicate

Responsible Disclosure

Found a vulnerability?

We take every security report seriously. If you discover an issue, please let us know and we will work with you to resolve it responsibly.

Report it

Email a description of the vulnerability to [email protected]. Include steps to reproduce, affected components, and your contact details.

We investigate

Our team will acknowledge your report within 48 hours and begin a thorough investigation. We will keep you updated throughout the process.

We fix it

We will work to remediate confirmed vulnerabilities promptly and notify you when the fix is deployed. We appreciate responsible disclosure.

Security reports

[email protected]

FAQs

Where is my data stored?

Your data is stored in managed cloud infrastructure via Supabase. Data is encrypted at rest with AES-256 and in transit with TLS.

Does Appaca use my data to train AI models?

No. We do not use your content, prompts, or any customer data to train AI models. Your data is used only to operate and deliver the Service.

Will AI providers (OpenAI, Anthropic, Google, etc.) use my data to train their models?

Appaca does not send your personal data to AI providers. For AI-powered applications that customers build on Appaca, customers are responsible for any data they choose to pass to those providers.

How are payments secured?

All payments are processed by Stripe, a PCI DSS Level 1 certified payment provider. Appaca never stores credit card numbers or other sensitive payment details.

How do you handle a security incident?

Our team monitors infrastructure and application logs continuously. In the event of a confirmed incident affecting customer data, we will notify affected users promptly and take immediate remediation steps.

How do I report a vulnerability?

Please email [email protected] with a description of the issue. We will respond within 48 hours and work with you to address the finding responsibly.

Is Appaca SOC 2 certified?

We are actively working towards SOC 2 Type II compliance. In the meantime, our security practices are aligned with SOC 2 principles across availability, confidentiality, and security.

More productivity with one adaptive workspace

Use Appaca for all your business operations needs. Build internal business tools and AI around your existing workflow.

Get started free

✦