Infrastructure
- Hosting: Vercel (SOC 2 Type II). All traffic terminates over TLS 1.2+ with HSTS forced on.
- Database: Supabase (SOC 2 Type II). Postgres is encrypted at rest; daily backups with point-in-time recovery.
- Secrets:stored in Vercel’s encrypted environment-variable vault. Nothing sensitive lives in the repository.
Authentication
- Email + password logins use bcrypt-hashed passwords managed by Supabase Auth.
- OAuth (Google, etc.) never gives us your provider password.
- Sessions are stored in HTTP-only, secure, SameSite=Lax cookies.
- Row-level security (RLS) policies enforce that every row in every user-owned table is readable only by its owner — even a buggy query can’t leak another user’s data.
Payments
Card data is handled exclusively by Stripe. We only store a customer ID and a subscription status — we never see or store PAN, CVV, or expiration dates. Stripe is PCI DSS Level 1 compliant.
AI processors
We call Gemini (Google) on the paid API tier, which does not use inputs or outputs to train Google’s models. We do not forward your brand docs, advisor conversations, or remix scripts to any other model provider.
Access controls
- Production database access is limited to the founding team and restricted through short-lived credentials.
- Every internal change is reviewed in git and deployed through automated CI.
- We log infrastructure events to detect suspicious access patterns.
Backups + recovery
- Daily automated Postgres backups with 7-day retention.
- Point-in-time recovery enabled on production.
- User-uploaded assets (thumbnails, brand logos) stored in object storage with versioning enabled.
Reporting a vulnerability
If you find a security issue, email security@viralhits.app. We’ll respond within two business days. Please give us a reasonable window to fix before public disclosure.