CiteRank AI
Trust · Security

Security at CiteRank AI

We treat the data you trust us with as we would our own. This page summarises our current security posture. Last updated: May 26, 2026.

Encryption

  • All traffic is encrypted in transit using TLS 1.3 with modern cipher suites only.
  • All customer data is encrypted at rest with AES-256.
  • Secrets are managed in a dedicated KMS; no production secrets are stored in source control.

Hosting

  • Application: deployed on Vercel and Cloudflare Workers (multi-region, edge).
  • Database: Supabase Postgres on AWS (eu-west-1).
  • Object storage: Supabase Storage with private buckets and signed URLs.

Access controls

  • Single sign-on with mandatory 2FA for all employees.
  • Production access is least-privilege, time-bound, and fully audited.
  • All admin actions are logged to an append-only audit trail.

Application security

  • Strict Content-Security-Policy, HSTS preload, secure cookies (HttpOnly, SameSite=Lax).
  • Row-Level Security in Postgres for every customer-scoped table.
  • Dependency scanning on every commit (Dependabot + GitHub Advanced Security).
  • Static analysis (Semgrep) and secret scanning enforced in CI.

Backups and recovery

  • Database point-in-time recovery to any second within the last 7 days.
  • Daily full backups retained for 30 days, off-region.
  • RPO 5 minutes, RTO 1 hour for the production database.

Incident response

We maintain a documented incident-response runbook covering detection, triage, containment, eradication, recovery and post-mortem. Customers affected by a confirmed security incident involving their personal data will be notified without undue delay and, in any event, within the timelines required by the DPDP Act 2023 and GDPR.

Vulnerability disclosure

We welcome reports from security researchers. Please email security@citerank.ai with a clear description and steps to reproduce. Do not perform testing that could degrade the service or compromise customer data. We commit to acknowledging reports within 2 business days and to working with researchers in good faith.

Compliance

  • SOC 2 Type II: in progress (audit window opened Q1 2026).
  • GDPR: aligned. DPA available on request and at /dpa.
  • DPDP Act 2023 (India): aligned. Designated Data Protection Officer: legal@citerank.ai.
  • ISO 27001: planned for 2027.
← Back to home