All data encrypted in transit (TLS 1.3) and at rest (AES-256). Database encrypted at the volume level.
Database enforces per-user data isolation at the Postgres level. You can only ever read your own data — even if our application layer had a bug.
API keys stored as environment secrets via Supabase Vault and Vercel Secure Environment Variables. Never in code or logs.
All API endpoints rate-limited per user. AI generation endpoints have concurrency limits to prevent abuse.
Found a security vulnerability? We appreciate responsible disclosure. Please email security@hypnotic.ai with:
We will respond within 48 hours, keep you updated on remediation, and credit you publicly if you wish.
Please do not publicly disclose until we have addressed the issue.