Security-first. from day one.
Overview
Core commitment: Construction procurement documents contain commercially sensitive bid data, contract terms, and vendor pricing. We designed Trueleveler so that documents you submit only to run an analysis are never written to persistent storage — not to a database, not to a file system, not to a log. They exist only in server memory for the duration of that request. Files you deliberately save to your workspace (the Documents area, Drawings, or engine PDFs you save) are a separate, opt-in path: they are stored in private, organization-scoped object storage, encrypted at rest and protected by row-level access controls, so you can use them again.
This page describes the technical and organisational security measures we have in place across Trueleveler's infrastructure, application layer, and third-party integrations. We update it as our controls evolve.
Data In Transit
All communication between your browser and Trueleveler's servers is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) and weak cipher suites are disabled. HTTP requests are automatically redirected to HTTPS. Our TLS configuration targets an A+ rating on SSL Labs.
Communication between Trueleveler's serverless functions and third-party APIs (AI provider, Supabase) is also over TLS 1.3 on dedicated HTTPS connections. No document data is transmitted over unencrypted channels at any point.
Data At Rest
Account data, saved analysis sessions, vendor records, and project metadata are stored in Supabase (PostgreSQL), which encrypts all data at rest using AES-256. Database backups are also encrypted.
Supabase enforces Row Level Security (RLS) policies on every table. All queries are scoped to the authenticated user's ID — it is not possible for a query to return another user's data, even with a valid session token.
Documents you submit only to run an analysis are not retained — they are processed entirely in server memory and not written to disk or database. Files you choose to save to your workspace are stored in a shared Supabase Storage bucket under organization-scoped Row Level Security and encrypted at rest; only members of your organization can access them, and you can delete them at any time.
Document Handling
There are two distinct paths, and they are handled differently.
1. One-off analysis is processed in memory only. When you submit a document just to run an analysis, its lifecycle is: receive over TLS → load into RAM → extract text → send to AI API over TLS → discard. No file write operations occur at any point in this pipeline. Specifically, for this path:
- Documents are not written to Vercel's filesystem (ephemeral or otherwise)
- Documents are not stored in object storage
- Document contents are not written to application logs or error traces
- Document contents are not cached at the CDN or edge layer
2. Files you save to your workspace are stored, by design. When you upload a file to the Documents area, add a drawing set, or save an engine PDF to a project, you are deliberately filing it for later use, so we keep it in private, organization-scoped object storage (Supabase Storage), encrypted at rest and scoped by Row Level Security so only your organization can reach it. You can delete these files at any time, and they are removed when you delete the project or close your account. Retaining document text for cross-document search is a further opt-in, off by default, controlled by an organization owner in Settings.
The only external service that receives document content is an AI processing API, which processes the text under the provider's API data processing terms. Those terms prohibit the provider from using API-submitted content to train models.
After the AI response is returned, the analysis result is either displayed in your browser session or saved to your account (if you choose to save it). Documents submitted only for one-off analysis are not retained.
API Key Management
Trueleveler's AI API key is stored exclusively as a server-side environment variable in Vercel. It is never exposed to the browser, never included in client-side JavaScript, and never logged.
All AI analysis requests from the browser are routed through a server-side proxy function that authenticates the request against Supabase, then forwards it to the AI API using the server-stored key. The raw API key is unreachable from the client under any circumstances.
Supabase credentials used server-side follow the same pattern: environment variables only, never bundled into client code.
Authentication
Authentication is handled by Supabase Auth, which uses industry-standard JWT (JSON Web Token) sessions. Passwords are hashed using bcrypt and never stored in plaintext. We do not have access to your raw password at any time.
Session tokens are short-lived and are validated server-side on every API request. Expired or invalid tokens are rejected with a 401 response — no document processing occurs without a valid authenticated session for paid features.
Single Sign-On (SSO) via Google Workspace and Microsoft 365 is available on Business and Enterprise plans — sign in with your existing corporate identity provider without managing a separate Trueleveler password. SAML SSO (Okta, Azure AD, OneLogin, generic SAML 2.0 identity providers) is available on Enterprise on request. Hardware security key (WebAuthn/FIDO2) authentication is planned for a future release.
Infrastructure
Trueleveler is deployed on Vercel's edge infrastructure, with compute distributed across Vercel's global edge network. Static assets are served from Vercel's CDN. Serverless functions run in isolated V8 isolates with no persistent state between requests.
Our database runs on a managed PostgreSQL service hosted in the United States. Automated backups with point-in-time recovery are maintained by the provider, which holds its own SOC 2 Type II certification. Sub-processor identity and exact region are disclosed in our Data Processing Agreement as required by GDPR Article 28.
Infrastructure dependencies:
- Edge hosting + serverless — CDN, edge compute, serverless functions
- Managed PostgreSQL (US) — database, authentication, row-level security
- AI Processing API — AI analysis processing
- Stripe — payment processing (PCI-DSS Level 1)
- Resend — transactional email
SOC 2 Compliance
A formal SOC 2 Type II audit has not yet been engaged. We plan to initiate the audit as we scale, and our controls are already designed to meet SOC 2 requirements. Enterprise customers needing a security questionnaire response or a current controls overview today may contact hello@trueleveler.com.
Our current controls are designed to meet SOC 2 requirements:
- Access control and least-privilege principles across all systems
- Encryption at rest and in transit for all data
- Automated monitoring and alerting for anomalous access patterns
- Documented incident response procedures
- Regular dependency audits and vulnerability scanning
- Formal change management for all production deployments
Sub-processors
The following third-party services process data on Trueleveler's behalf:
- Google LLC — AI analysis (document text, in transit only; not stored by Google per API terms). USA.
- Supabase Inc. — database and authentication (account data, session history). USA.
- Vercel Inc. — hosting and compute infrastructure. USA / global edge.
- Stripe Inc. — payment processing (billing data only). USA. PCI-DSS Level 1.
- Resend Inc. — transactional email. USA.
We review sub-processors annually and will update this list when sub-processors change. Material changes are communicated to registered users by email with 30 days' notice.
Incident Response
We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Key commitments:
- Detection: automated monitoring for anomalous API usage, failed authentication spikes, and provider infrastructure alerts
- Initial response: within 4 hours of detection for severity 1 incidents
- User notification: within 72 hours of confirmed breach affecting user data, in compliance with GDPR Article 33
- Post-incident review: root cause analysis and remediation steps published to affected users
Because documents submitted for one-off analysis are not retained, a database breach would not expose that content — only account metadata (email addresses, analysis result text, and project names). Files you save to your workspace live in object storage protected by encryption at rest and organization-scoped Row Level Security, separate from the application database.
Penetration Testing
A third-party penetration test has not yet been engaged. We plan to commission an annual external penetration test alongside our SOC 2 Type II audit as we scale, covering OWASP Top 10 vulnerabilities, API authentication bypasses, injection attacks, and privilege escalation paths.
In the meantime, we run continuous automated vulnerability scanning via our dependency tooling and CSP violation reporting, and we welcome reports from security researchers under the responsible-disclosure policy below. Enterprise customers may request our current controls overview or security questionnaire response by contacting hello@trueleveler.com.
Responsible Disclosure
We welcome reports from security researchers. If you discover a vulnerability in Trueleveler's application or infrastructure, please report it to security@trueleveler.com.
Our disclosure policy:
- We will acknowledge receipt within 24 hours
- We will provide a status update within 5 business days
- We ask researchers to allow us 90 days to remediate before public disclosure
- We will credit researchers in our changelog (with permission)
- We do not pursue legal action against researchers acting in good faith
Please do not access, modify, or exfiltrate user data during testing. Test against your own account only.
Security Contact
For security reports, vulnerability disclosures, enterprise security questionnaires, or to request our penetration test summary or current security questionnaire:
- Email: security@trueleveler.com
- PGP key: available on request
For general privacy questions, see our Privacy Policy. For terms of use, see our Terms of Service.
Trueleveler · trueleveler.com · Security · Last updated March 13, 2026