KeystoneIQ Security Overview
This document provides security information for enterprise questionnaires, vendor reviews, and compliance inquiries. KeystoneIQ is the product; Intellibricks Inc. is the operating company.
Data Protection
Encryption at Rest
- Database: Supabase (PostgreSQL) encrypts data at rest. See Supabase security.
- Integration tokens: Access and refresh tokens in
user_integration_credentialsare encrypted with AES-256-GCM usingENCRYPTION_KEY(32-byte hex) from environment. Keys and tokens are never logged.
Encryption in Transit
- All API traffic uses TLS 1.2+ (HTTPS).
- Database connections use SSL.
Access Controls
Authentication
- Email/password: Supabase Auth with bcrypt.
- OAuth: Google, Microsoft (SSO via Supabase SAML on Pro+).
- API keys: Bearer tokens for programmatic access; scoped per workspace.
Authorization
- Row Level Security (RLS): All user-facing tables enforce workspace membership. Users see only data for workspaces they belong to.
- Admin vs member: Workspace owners manage integrations, team, and tenant config. Members use dashboard and connect their own docs.
- Integration tokens: Stored per user, per workspace. Workers use service role for sync; admins cannot see member tokens.
API Access
- API keys: Owner-only creation and revocation. Only workspace owners can create or revoke API keys (Developer in the sidebar; Growth or Pro).
- Audit logging: All
/api/v1/*requests are logged (workspace_id, method, path, status_code, timestamp). Failed auth (401) logged with workspace_id=null. Append-only; no credentials in logs. Retention: 90 days minimum. - Rate limits: Intelligence 30/hr; briefs list 60/hr, get 100/hr; trigger-deal-brief 5/hr per workspace.
- Credentials: API keys and tokens are never logged. Account export excludes api_key_hash.
Data Handling
LLM Providers
- Brief generation uses OpenAI and/or Anthropic APIs.
- Per enterprise terms: API data is not used for model training.
- No PII is sent beyond what the user provides (deal notes, competitor context).
Data Retention
- User data retained while workspace is active.
- Account export:
GET /api/account/export. - Account deletion:
POST /api/account/delete(GDPR right to erasure).
Incident Response
- Report: Security issues: report via your account contact or support@keystoneiq.ai.
- Severity: P1 (data breach, outage), P2 (suspected compromise), P3 (vulnerability report).
- Containment: Revoke exposed API keys; notify affected customers.
- Recovery: Restore from Supabase backup if needed.
- GDPR (Art 33/34): Notify affected customers (controllers) without undue delay so they can meet 72-hour supervisory authority notification.
- Errors logged with trace IDs; no tokens or keys in logs.
- Sync failures surfaced in Settings and job queue.
Compliance
- GDPR: Export and delete endpoints; data processing aligned with controller obligations.
- SOC 2: Roadmap item; plan when enterprise pipeline justifies.
- Penetration testing: Documented as annual roadmap item for enterprise.
Infrastructure
- Hosting: Vercel (web), Supabase (database, auth).
- Regions: Configurable; default US.
- Backups: Supabase managed backups; RTO/RPO per Supabase plan.
- Shared responsibility: KeystoneIQ relies on Supabase (SOC 2 Type II), Vercel, Railway. Infrastructure controls are within vendor scope. KeystoneIQ is responsible for application-level controls: access, audit logs, encryption of integration tokens, incident response.
Subprocessors
| Vendor | Purpose | Risk tier |
|---|---|---|
| Supabase | Database, auth | Critical |
| OpenAI | Brief generation | Critical |
| Anthropic | Brief generation | Critical |
| Resend | High | |
| Zapier / Make | API integrations (when customer uses) | High |
| Vercel | Web hosting | Standard |
| Railway | Worker, API hosting | Standard |
| PostHog | Analytics | Standard |
Related policies (product)
- Privacy Policy — data categories, rights, international transfers (if applicable).
- Terms of Service
- Cookie Policy
Last updated: March 2026