Security
Last updated: June 15, 2026
This page summarises the security practices PipelineIQ relies on today. We are a small team focused on shipping useful product to our customers; we aim to be transparent about what is in place and what is on the roadmap.
1. Hosting & Infrastructure
PipelineIQ runs on third-party infrastructure that maintains its own audited security programs:
- Vercel — application hosting, edge network, and build pipeline. SOC 2 Type 2.
- Supabase — primary Postgres database, authentication, and storage. SOC 2 Type 2; data hosted in the United States.
- Stripe — payment processing. PCI DSS Level 1. Card numbers never touch PipelineIQ servers.
2. Encryption
- In transit: all traffic to and from PipelineIQ is served over TLS 1.2 or higher.
- At rest: all database, storage, and backup data is encrypted at rest using AES-256 by our infrastructure providers.
3. Authentication
Account access is gated by Supabase Auth. We support email and password sign-in (with a mandatory minimum length and email confirmation), and Google OAuth. We do not store user passwords ourselves; password hashes are managed by Supabase using industry standard algorithms.
4. Access Control
PipelineIQ enforces row-level security on every customer-facing database table. Each row is tied to the authenticated user that created it, and database policies reject reads and writes from any other user. This is enforced at the database layer, not the application layer, so a bug in our application code cannot expose one customer’s data to another.
Administrative access to production systems is limited to the founder and protected by multi-factor authentication on the underlying provider accounts (Vercel, Supabase, Stripe).
5. Subprocessors
The third parties listed in our Privacy Policy (Vercel, Supabase, Stripe, Anthropic, Firecrawl, PostHog, Google Analytics, and RB2B) act as subprocessors. PostHog, Google Analytics, and RB2B process site-usage telemetry only and do not receive customer lead data. PostHog, Google Analytics, and RB2B are gated behind a cookie consent banner on the public marketing site and do not fire any tracking until the visitor explicitly grants consent. We will give existing customers notice via email before adding a new subprocessor that processes lead data.
6. Vulnerability Reporting
If you believe you have found a security vulnerability in PipelineIQ, please report it by emailing security@pipelineiq.online. We will acknowledge your report within five (5) business days. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure.
We do not currently run a paid bug bounty program. We do appreciate responsible disclosure and will acknowledge contributors on this page where appropriate.
7. Incident Response
In the event of a confirmed security incident affecting customer data, we will notify affected customers by email without undue delay and in any case within the timeframes required by applicable law (including 72 hours under GDPR where applicable). Notifications will describe the nature of the incident, the data affected, and the steps we are taking in response.
8. On the Roadmap
We are honest about what is not yet in place. We do not currently hold a SOC 2 report of our own; we rely on the audited compliance of our infrastructure providers. We expect to pursue formal attestation once enterprise demand justifies it. If you are an enterprise prospect with specific compliance requirements, please contact us directly.
9. Contact
Security-related questions, vulnerability reports, or compliance inquiries? Email security@pipelineiq.online.