Security

Last updated 30 April 2026

SupaProxy is built with security, data governance, and auditability as first-class concerns. We take your data seriously.

Infrastructure

• Hosted on isolated infrastructure with encrypted storage at rest
• All traffic encrypted in transit via TLS 1.3
• Database credentials rotated regularly and never stored in code
• Redis used for ephemeral job queues only, not permanent data storage

Data isolation

• Every organisation is fully isolated at the database query level
• Workspace data, connections, and conversations never cross org boundaries
• Access checks on every API request verify org ownership
• Cross-org access returns 404 (not 403) to prevent resource enumeration

Authentication

• Session cookies with HttpOnly, Secure, and SameSite=Lax flags
• JWT tokens with configurable expiry
• CORS origin validation on all API requests
• Bcrypt password hashing with salt

AI & LLM security

• API keys encrypted at rest and never exposed in logs or responses
• PII redaction guardrails detect sensitive data before it reaches the LLM
• Prompt injection detection available as a compliance guardrail
• Full audit trail of every query, tool call, and AI response

Open source transparency

The SupaProxy server is open source. You can audit the codebase, run your own security scans, and self-host with full control. Cloud uses the same codebase with an additional multi-tenancy layer.