Skip to main content

Security Practices

Last updated: March 11, 2026

At Fleece AI, security is embedded into every layer of our platform. From encryption and access controls to continuous monitoring and incident response, we follow industry best practices to protect your data. This page details our technical and organizational security measures.

1. Encryption

  • In Transit All data transmitted between your browser and our servers is protected by TLS 1.3. API communications, webhook callbacks, and inter-service calls are all encrypted.
  • At Rest All application data stored in Neon PostgreSQL is encrypted with AES-256. Stripe handles payment data under PCI DSS Level 1 compliance.
  • API Key Security API keys are hashed with SHA-256 before storage. The plaintext key is shown exactly once at creation and never stored or logged.

2. Authentication & Access Control

  • OAuth 2.0 Four authentication providers (Google, GitHub, Microsoft Entra ID, Magic Link via Resend) with strict redirect validation and session management.
  • Session Management JWT-based sessions with secure cookies. Redirect URLs are validated to prevent open redirect attacks.
  • API Keys Plan-based key limits (0 for Free, 5 for Pro, 10 for Business, 25 for Enterprise). Keys support expiration timestamps and last-used tracking.
  • Role-Based Access Plan-based feature gating controls access to premium AI models, agent limits, execution quotas, and history retention periods.

3. Infrastructure

  • Hosting Deployed on Vercel with automatic HTTPS, DDoS protection, and a global edge network. No direct server access is exposed.
  • Database Neon serverless PostgreSQL with automatic failover, point-in-time recovery, and encryption at rest. Hosted in AWS us-east-1.
  • Payments Stripe handles all payment processing under PCI DSS Level 1 certification. We never store, process, or transmit credit card numbers.
  • Secrets Management All credentials and API keys are stored as environment variables, never committed to source code. Production secrets are managed via Vercel's encrypted environment variable store.

4. Application Security

  • Content Security Policy Strict CSP headers restrict script sources, frame ancestors, and connection endpoints. Prevents XSS and data injection attacks.
  • Security Headers HSTS with 2-year max-age and preload, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, strict Referrer-Policy, and restrictive Permissions-Policy.
  • Rate Limiting All API endpoints are rate-limited per user or per IP. Chat: 20/min, Agent Execute: 10/min, Flow Trigger: 5/min, Data Export: 5/hour.
  • Input Validation Zod schemas validate all user input. Database queries use parameterized statements via Drizzle ORM, preventing SQL injection.
  • Error Handling Internal errors are never exposed to clients. Generic error messages are returned while detailed errors are logged server-side for debugging.

5. Audit & Monitoring

We maintain an immutable audit log aligned with SOC 2 CC7 requirements. Audit records are insert-only and cannot be modified or deleted.

  • 25+ audited event types covering authentication, data access, billing, consent, and administrative actions.
  • Each log entry captures: user ID, action, resource type/ID, metadata, IP address, and timestamp.
  • Health check endpoint (/api/health) provides real-time infrastructure status for uptime monitoring (SOC 2 A1).
  • Rate limit violations and security events are tracked for anomaly detection.

6. Data Protection

  • Tenant Isolation All database queries are scoped by user ID. No cross-tenant data access is possible. API keys map to a single authenticated user.
  • Data Retention Personal data is retained while your account is active. Upon deletion, all data is removed within 30 days. Audit logs are preserved with anonymized user references for compliance.
  • Backups Neon provides continuous backups with point-in-time recovery. Backup data is encrypted at rest with the same AES-256 standard.
  • AI Data Usage Your data is never used to train AI models. Prompts and agent tasks are sent to AI providers (OpenAI, Anthropic) solely for real-time inference.

7. Business Continuity

  • Vercel provides automatic failover with multi-region edge deployment and 99.99% uptime SLA.
  • Neon PostgreSQL offers automatic failover with read replicas and point-in-time recovery.
  • Stripe maintains independent availability for payment processing with its own disaster recovery procedures.
  • Critical service health is monitored via /api/health with automated alerting on degradation.

8. Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability, please report it following these guidelines:

  • Send your report to contact@fleeceai.app with a detailed description of the vulnerability.
  • Allow reasonable time for us to investigate and address the issue before any public disclosure.
  • Do not access, modify, or delete data belonging to other users during your research.
  • Do not perform denial-of-service attacks, social engineering, or physical security testing.

Report vulnerabilities to contact@fleeceai.app

9. Employee Security

  • All team members complete security awareness training covering phishing, social engineering, and data handling procedures.
  • Access to production systems follows the principle of least privilege. Permissions are reviewed quarterly.
  • Multi-factor authentication is required for all internal tools and cloud service accounts.
  • Departing team members have access revoked immediately upon separation.

10. Change Management

  • All code changes require peer review via pull requests before merging to production.
  • Automated CI/CD pipeline runs linting, type checking, and build verification on every commit.
  • Staging environment testing precedes all production deployments.
  • Vercel provides instant rollback capability for any deployment.

Contact

For detailed security questions or to request a copy of our security documentation, contact us at contact@fleeceai.appTrust Center