Security-first. from day one.

Overview

Core commitment: Construction procurement documents contain commercially sensitive bid data, contract terms, and vendor pricing. We designed Trueleveler's architecture specifically so that documents are never written to persistent storage — not to a database, not to a file system, not to a log. They exist only in server memory for the duration of the analysis request.

This page describes the technical and organisational security measures we have in place across Trueleveler's infrastructure, application layer, and third-party integrations. We update it as our controls evolve.

Data In Transit

All communication between your browser and Trueleveler's servers is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) and weak cipher suites are disabled. HTTP requests are automatically redirected to HTTPS. Our TLS configuration targets an A+ rating on SSL Labs.

Communication between Trueleveler's serverless functions and third-party APIs (AI provider, Supabase) is also over TLS 1.3 on dedicated HTTPS connections. No document data is transmitted over unencrypted channels at any point.

Data At Rest

Account data, saved analysis sessions, vendor records, and project metadata are stored in Supabase (PostgreSQL), which encrypts all data at rest using AES-256. Database backups are also encrypted.

Supabase enforces Row Level Security (RLS) policies on every table. All queries are scoped to the authenticated user's ID — it is not possible for a query to return another user's data, even with a valid session token.

We do not store documents, bid files, contracts, invoices, or any uploaded content. These are processed entirely in server memory and never written to disk or database.

Document Handling

Documents are processed in memory only. The lifecycle of an uploaded document is: receive over TLS → load into RAM → extract text → send to AI API over TLS → discard. No file write operations occur at any point in this pipeline.

Specifically:

• Documents are not written to Vercel's filesystem (ephemeral or otherwise)
• Documents are not stored in Supabase Storage or any object storage service
• Document contents are not written to application logs or error traces
• Document contents are not cached at the CDN or edge layer

The only external service that receives document content is an AI processing API, which processes the text under the provider's API data processing terms. Those terms prohibit the provider from using API-submitted content to train models.

After the AI response is returned, the analysis result is either displayed in your browser session or saved to your account (if you choose to save it). The original document is never retained.

API Key Management

Trueleveler's AI API key is stored exclusively as a server-side environment variable in Vercel. It is never exposed to the browser, never included in client-side JavaScript, and never logged.

All AI analysis requests from the browser are routed through a server-side proxy function that authenticates the request against Supabase, then forwards it to the AI API using the server-stored key. The raw API key is unreachable from the client under any circumstances.

Supabase credentials used server-side follow the same pattern: environment variables only, never bundled into client code.

Authentication

Authentication is handled by Supabase Auth, which uses industry-standard JWT (JSON Web Token) sessions. Passwords are hashed using bcrypt and never stored in plaintext. We do not have access to your raw password at any time.

Session tokens are short-lived and are validated server-side on every API request. Expired or invalid tokens are rejected with a 401 response — no document processing occurs without a valid authenticated session for paid features.

Single Sign-On (SSO) via Google Workspace and Microsoft 365 is available on Business and Enterprise plans — sign in with your existing corporate identity provider without managing a separate Trueleveler password. SAML SSO (Okta, Azure AD, OneLogin, generic SAML 2.0 identity providers) is available on Enterprise on request. Hardware security key (WebAuthn/FIDO2) authentication is planned for a future release.

Infrastructure

Trueleveler is deployed on Vercel's edge infrastructure, with compute distributed across Vercel's global edge network. Static assets are served from Vercel's CDN. Serverless functions run in isolated V8 isolates with no persistent state between requests.

Our database runs on Supabase, hosted on AWS US-East-1. Supabase provides automated daily backups with point-in-time recovery, and maintains its own SOC 2 Type II certification.

Infrastructure dependencies:

• Vercel — hosting, edge compute, CDN, serverless functions
• Supabase (AWS US-East-1) — database, authentication, row-level security
• AI Processing API — AI analysis processing
• Stripe — payment processing (PCI-DSS Level 1)
• Resend — transactional email

SOC 2 Compliance

A formal SOC 2 Type II audit has not yet been engaged. We plan to initiate the audit as we scale, and our controls are already designed to meet SOC 2 requirements. Enterprise customers needing a security questionnaire response or a current controls overview today may contact hello@trueleveler.com.

Our current controls are designed to meet SOC 2 requirements:

• Access control and least-privilege principles across all systems
• Encryption at rest and in transit for all data
• Automated monitoring and alerting for anomalous access patterns
• Documented incident response procedures
• Regular dependency audits and vulnerability scanning
• Formal change management for all production deployments

Sub-processors

The following third-party services process data on Trueleveler's behalf:

• Google LLC — AI analysis (document text, in transit only; not stored by Google per API terms). USA.
• Supabase Inc. — database and authentication (account data, session history). AWS US-East-1, USA.
• Vercel Inc. — hosting and compute infrastructure. USA / global edge.
• Stripe Inc. — payment processing (billing data only). USA. PCI-DSS Level 1.
• Resend Inc. — transactional email. USA.

We review sub-processors annually and will update this list when sub-processors change. Material changes are communicated to registered users by email with 30 days' notice.

Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Key commitments:

• Detection: automated monitoring for anomalous API usage, failed authentication spikes, and infrastructure alerts via Vercel and Supabase dashboards
• Initial response: within 4 hours of detection for severity 1 incidents
• User notification: within 72 hours of confirmed breach affecting user data, in compliance with GDPR Article 33
• Post-incident review: root cause analysis and remediation steps published to affected users

Because documents are never stored, a database breach would not expose document content — only account metadata (email addresses, analysis result text, and project names).

Penetration Testing

A third-party penetration test has not yet been engaged. We plan to commission an annual external penetration test alongside our SOC 2 Type II audit as we scale, covering OWASP Top 10 vulnerabilities, API authentication bypasses, injection attacks, and privilege escalation paths.

In the meantime, we run continuous automated vulnerability scanning via our dependency tooling and CSP violation reporting, and we welcome reports from security researchers under the responsible-disclosure policy below. Enterprise customers may request our current controls overview or security questionnaire response by contacting hello@trueleveler.com.

Responsible Disclosure

We welcome reports from security researchers. If you discover a vulnerability in Trueleveler's application or infrastructure, please report it to security@trueleveler.com.

Our disclosure policy:

• We will acknowledge receipt within 24 hours
• We will provide a status update within 5 business days
• We ask researchers to allow us 90 days to remediate before public disclosure
• We will credit researchers in our changelog (with permission)
• We do not pursue legal action against researchers acting in good faith

Please do not access, modify, or exfiltrate user data during testing. Test against your own account only.

Security Contact

For security reports, vulnerability disclosures, enterprise security questionnaires, or to request our penetration test summary or SOC 2 documentation:

• Email: security@trueleveler.com
• PGP key: available on request

For general privacy questions, see our Privacy Policy. For terms of use, see our Terms of Service.

Trueleveler · trueleveler.com · Security · Last updated March 13, 2026