Back to Home

Security & Compliance

Enterprise-grade security architecture designed for modern cloud workloads

Overview

SecondChair is built on modern cloud infrastructure with security best practices at every layer. We use industry-standard encryption, row-level security isolation, and compliance-ready architectures to protect your data.

Infrastructure

Hosting

Deployed on Vercel, a serverless edge platform that provides automatic scaling, DDoS protection, and global CDN distribution for low-latency access.

Database

Supabase PostgreSQL with Row-Level Security (RLS) enabled. RLS ensures organization-level data isolation—users can only access their own organization's data.

Encryption

In Transit

All data transfers use TLS 1.3 encryption. API calls, database connections, and web traffic are encrypted end-to-end.

At Rest

Database storage uses AES-256 encryption. Backups and snapshots are also encrypted.

AI Model Security

How Cloud AI Actually Works

Many people assume that using "Claude" means data goes to Anthropic's headquarters. That's not how modern AI infrastructure works. AI models are deployed inside cloud providers (AWS, Google Cloud, Azure)—your data flows to the cloud infrastructure, gets processed by the model there, and returns.

Data never travels to Anthropic or OpenAI headquarters. Privacy controls are the same as any other web application using cloud infrastructure: encryption, VPCs, IAM, audit logs.

Standard Setup

┌────────────────────────────────────────────────┐
│           Google Cloud Platform                 │
│                                                 │
│  ┌─────────────┐    ┌─────────────┐            │
│  │ SecondChair │ -> │ Claude API  │            │
│  │  (Vercel)   │    │   (GCP)     │            │
│  └─────────────┘    └─────────────┘            │
│                                                 │
│  ✓ Data stays within cloud infrastructure       │
│  ✗ Does NOT go to Anthropic headquarters       │
└────────────────────────────────────────────────┘

Enterprise Option: Amazon Bedrock

┌────────────────────────────────────────────────┐
│              YOUR AWS Account                   │
│                                                 │
│  ┌─────────────┐    ┌─────────────┐            │
│  │ SecondChair │ -> │   Bedrock   │            │
│  │             │    │  (Claude)   │            │
│  └─────────────┘    └─────────────┘            │
│                                                 │
│  ✓ Data never leaves YOUR cloud                │
│  ✓ Full audit logs, VPC isolation              │
│  ✓ Your security controls apply                │
└────────────────────────────────────────────────┘

Data Isolation

Row-Level Security (RLS)

Every database query is automatically filtered by organization ID using PostgreSQL's RLS policies. Even if there were a bug in application code, users cannot access data from other organizations—the database enforces isolation at the data layer.

This is the same approach used by multi-tenant SaaS applications handling sensitive enterprise data.

Amazon Bedrock for Maximum Control

When we build Phase 2 automations for your organization, you can opt for Amazon Bedrock deployment. With Bedrock, the AI models run entirely inside your own AWS account—data literally never leaves your cloud environment.

Benefits

  • Full audit logs via AWS CloudTrail
  • VPC isolation—data stays in your private network
  • Your IAM policies and security controls apply
  • Supports compliance frameworks (HIPAA, SOC 2, FedRAMP)
  • Same frontier AI models (Claude, Llama, Titan)
Learn more about Amazon Bedrock →Bedrock Security Documentation →

Access Controls

Authentication

Powered by Supabase Auth. Supports email/password and OAuth providers (Google). Multi-factor authentication (MFA) available.

Role-Based Access

Organization-level roles (admin, member) control access to team management, settings, and task visibility.

Compliance Status

Current Compliance

  • GDPR data protection requirements
  • CCPA consumer privacy rights
  • Data deletion and portability

Roadmap

SOC 2 Type II certification is planned but not yet scheduled. We will update this page as our compliance program matures.

Incident Response

In the event of a security incident, we follow a structured response process:

  1. Immediate containment and investigation
  2. Notification to affected customers within 72 hours
  3. Remediation and security improvements
  4. Post-incident report with lessons learned

Security Contact

If you have security concerns or wish to report a vulnerability, please contact:

security@secondchair.ai

We take security reports seriously and will respond within 48 hours.

See also: Privacy Policy