Security

Identity and access

• Authentication is provided by Clerk. Passwords are never seen or stored by us.
• Webhooks from Clerk are signature-verified using Svix before processing.
• Webhooks from Stripe are signature-verified using the Stripe webhook signing secret before processing.
• Production secrets are stored in Vercel environment variables and are never exposed in client-side bundles.

Transport and infrastructure

• The website and all APIs are served over HTTPS only via Vercel's edge network.
• Connections to Supabase use TLS.
• The OpenAI API is called from server-side Next.js API routes only — your OpenAI API key never leaves the Vercel runtime.
• Strict-Transport-Security, Content-Security-Policy, Referrer-Policy, Permissions-Policy, X-Frame-Options, and X-Content-Type-Options headers are set in next.config.ts.

Data handling

• Personal data is collected only for the purposes described in the Privacy Policy.
• Workflow content is stored in your browser's localStorage until you trigger an AI feature. We do not retain the request body on our servers.
• Assessments default to private. Publishing requires an explicit consent checkbox and never exposes your contact email or raw responses publicly.
• Failed certification exam responses do not return the answer key.
• Sub-processors are listed at /legal/sub-processors.

Application controls

• AI API routes require an authenticated session with a Pro or Agency plan. Anonymous calls return 401.
• Public form endpoints apply input validation and rate-limit abuse vectors.
• User-supplied content is escaped before being interpolated into administrative emails.

Operations

• Source code lives in a private repository with branch protection on main.
• Production deployments are gated by CI (type-checker, test suite, linter).

In the spirit of honest posture — these are things you might expect from a more mature platform that we have not yet built:

• No SOC 2, ISO 27001, or HIPAA attestation. These are on our long-term roadmap.
• No formal Business Continuity / Disaster Recovery plan documented. We rely on our sub-processors' published recovery profiles.
• No formal penetration test on file. We perform internal review and are happy to share the most recent internal threat model on request.
• No 24/7 on-call. Security reports are triaged by the Operator personally; response time outside business hours may be longer.

If you require an attested vendor for B2B procurement, we are not the right fit yet. We will update this list as items move to shipped.

The Operator is based in Victoria, Australia. The Service complies with the Australian Privacy Principles under the Privacy Act 1988 (Cth). We honour data-subject rights under the GDPR and UK GDPR for users in those jurisdictions. PCI-DSS is handled entirely by Stripe — we never see card numbers.

If you are a B2B customer who needs a Data Processing Addendum to satisfy your own regulatory obligations, email hello@productionai.institute.

This section will list contributors who responsibly disclosed security issues. It is currently empty.

Vulnerability disclosure: security@productionai.institute

Commercial, legal, and DPA: hello@productionai.institute

This page describes the current state honestly. We will not make a security claim here that we cannot demonstrate. If you spot a contradiction between this page and reality, please tell us — that is itself a security issue.