Pomelo Labs
Sign inGet started
Trust & Security

Built to earn your trust.

Security is foundational to Pomelo Labs, not an afterthought. This page documents our infrastructure, encryption, access controls, AI data practices, and incident response commitments.

Last updated: June 1, 2026

TLS 1.3
Encryption in transit
AES-256
Encryption at rest
30 days
Backup retention
72 hrs
Incident notice (GDPR)
Infrastructure

Hosted on SOC 2–certified infrastructure

The Pomelo Labs platform runs on two primary infrastructure providers — Vercel and Supabase — both of which hold SOC 2 Type II certification, meaning they undergo annual independent audits of their security, availability, and confidentiality controls.

  • Application layer: Next.js 15 application hosted on Vercel. Serverless edge functions handle API routing and middleware. Vercel's global CDN delivers static assets with sub-100ms edge latency.
  • Database and auth: Supabase provides PostgreSQL database hosting with built-in row-level security, Supabase Auth for user authentication, and Supabase Storage for file uploads.
  • AI inference: API calls to OpenAI and Anthropic are made server-side from Vercel functions. Your data never flows directly from the browser to AI providers.
  • Payments: Stripe handles all payment card data. Card numbers are tokenised by Stripe.js before reaching Pomelo Labs servers; we store only the last four digits and card type.
  • Data isolation: each organisation's data is logically separated in our PostgreSQL database via row-level security policies enforced by a mandatory org_id column on every user-facing table. A misconfigured query cannot leak data across organisations.
Encryption

Encrypted in transit and at rest

  • In transit: all connections between clients and our servers use TLS 1.3. Older TLS versions (1.0, 1.1) and weak cipher suites are disabled. HTTP requests are automatically redirected to HTTPS.
  • At rest: all data stored in Supabase (database rows, file uploads) is encrypted at rest using AES-256, managed by Supabase's infrastructure-level encryption.
  • OAuth tokens: integration tokens are held server-side, encrypted at rest by Supabase (see above), and access-scoped to your organization. They are used only during server-side API calls on your behalf, and are never returned to the frontend or logged.
  • Environment secrets: API keys for OpenAI, Anthropic, Stripe, DataForSEO, and Firecrawl are stored as encrypted environment variables in Vercel and are never exposed in client-side code or git history.
Authentication

Secure authentication with MFA support

  • Authentication is handled by Supabase Auth, which implements industry-standard JWT-based sessions with short expiry windows and refresh token rotation.
  • Multi-factor authentication (MFA) is available for all accounts via TOTP authenticator apps (e.g., Google Authenticator, 1Password). We recommend all users enable MFA.
  • Passwords are hashed using bcrypt with an appropriate work factor. We never store plaintext passwords.
  • Google OAuth is available as a sign-in method. We request only the minimum OAuth scopes required for sign-in (openid, email, profile) and separate integration-specific scopes are requested only when you connect a specific integration.
  • Session tokens are HTTP-only cookies with the Secure flag set, preventing JavaScript access and mitigating XSS-based token theft.
  • Failed login attempts are rate-limited to prevent brute-force attacks.
Access Controls

Role-based access within your organisation

Within each organisation, Pomelo Labs enforces role-based access control (RBAC) with three roles:

AdminFull access: manage team members, billing, integrations, brand settings, and all content.
EditorCan create, edit, and approve AI-generated content; manage projects; connect integrations. Cannot manage billing or team membership.
ViewerRead-only access to analytics, content queue, and agent outputs. Cannot edit or approve content.

Organisation Admins can invite, remove, and change the roles of team members from Settings → Team at any time. Pomelo Labs engineering staff access production systems only through a separate privileged access mechanism with audit logging. Staff with production database access are limited to those whose roles require it.

AI Data Practices

Your content is never used to train AI models

Our commitment

Your content, brand documents, drafts, and data are never used to train Pomelo Labs AI models or any third-party AI models, including those operated by OpenAI or Anthropic. We pass content to these providers only to fulfil your specific real-time request, under Data Processing Agreements that expressly prohibit use of customer data for model training.

  • OpenAI: we use the OpenAI API under an enterprise agreement that includes a zero-data-retention option for eligible endpoints. Content sent to OpenAI is not used to train OpenAI models.
  • Anthropic: we use the Anthropic API under terms that prohibit use of submitted data for model training.
  • DataForSEO: keyword and SERP data is fetched on-demand based on your queries. We do not send your website content or brand data to DataForSEO.
  • Firecrawl: your website is crawled once during onboarding to extract content for brand voice analysis. This crawl data is processed in memory and is not retained as training data.
  • Pomelo Labs does not build or fine-tune proprietary AI models using customer data.
Sub-processors

Third parties we work with

All sub-processors are bound by Data Processing Agreements (DPAs) restricting data use to providing services on our behalf. We notify customers of material additions to this list with at least 14 days advance notice.

ProviderRoleCountryCertifications
SupabaseAuth, database, file storageUSSOC 2 Type II
VercelApplication hosting, edge functions, CDNUS / GlobalSOC 2 Type II
OpenAIAI content generation (gpt-image-1, GPT-4)USSOC 2 Type II
AnthropicAI text generation and analysis (Claude)USSOC 2 Type II (in progress)
DataForSEOSEO keyword data, SERP analysis, backlinksUSGDPR compliant
StripePayment processing, subscription billingUSPCI DSS Level 1, SOC 2 Type II
FirecrawlWebsite crawling during onboardingUSGDPR compliant
Data Resilience

Backups and disaster recovery

  • Automated daily backups of the Supabase PostgreSQL database, retained for 30 days.
  • Point-in-time recovery (PITR) is available via Supabase for restoring the database to any moment within the retention window.
  • File uploads (brand assets, generated images) are stored in Supabase Storage with object-level versioning.
  • Vercel maintains multi-region deployment infrastructure to minimise application downtime during provider-level incidents.
  • In the event of data loss, our target recovery point objective (RPO) is 24 hours and recovery time objective (RTO) is 4 hours.
Incident Response

How we respond to security incidents

We maintain an internal incident response plan with defined escalation paths, severity classifications, and communication timelines.

  • Detection: security events are monitored via Supabase audit logs, Vercel access logs, and application-level error tracking.
  • Triage: on-call engineering triages all potential security events within 4 hours of detection.
  • Containment: affected systems are isolated and credentials rotated as soon as an incident is confirmed.
  • Notification: affected users are notified within 72 hours of discovering a personal data breach, in compliance with GDPR Art. 33–34. We also notify relevant supervisory authorities within the required timeframes.
  • Post-incident: we conduct a root cause analysis after every confirmed security incident and publish a remediation summary to affected customers.

To report a security vulnerability, email security@pomeolabs.ai. We aim to acknowledge all reports within 24 hours and provide a remediation timeline within 5 business days. We do not pursue legal action against security researchers who disclose vulnerabilities responsibly.

Compliance Roadmap

Our certifications and roadmap

Live
GDPR Compliance
Data Processing Agreements in place with all sub-processors; SCCs for EU/UK data transfers; user rights workflow operational.
Live
CCPA Compliance
No sale of personal data; California rights fulfilled via privacy@pomeolabs.ai within 45-day window.
Live
PCI DSS (via Stripe)
Card data is processed exclusively by Stripe (PCI DSS Level 1). Pomelo Labs never handles raw card numbers.
Roadmap
SOC 2 Type II (Pomelo Labs)
We are actively pursuing SOC 2 Type II certification with a target audit completion of Q4 2026. Our infrastructure vendors (Vercel, Supabase) are already SOC 2 Type II certified.
Your Data Rights

Export and delete your data

  • Data export: you can export all your projects, content, analytics history, and account data as a JSON archive from Settings → Data Export at any time. No need to contact support.
  • Account deletion: you can permanently delete your account and all associated data from Settings → Account → Delete Account. Deletion is processed within 30 days.
  • Integration revocation: disconnect any integration (Google, Webflow) from Settings → Integrations. This immediately revokes the stored OAuth token.
  • Content deletion: individual content items, projects, and agent outputs can be deleted from within the platform at any time.

For additional requests — including access to data not available via self-service export, or if you need a formal data portability export in a specific format — contact privacy@pomeolabs.ai.

Security questions or vulnerability reports?

Email our security team at security@pomeolabs.ai. For privacy requests, use privacy@pomeolabs.ai. We aim to respond within 24 hours.

© 2026Pomelo Labs, Inc. All rights reserved.  · Terms · Privacy · Trust & Security