Trust & Security
Built to earn your trust.
Security is foundational to Pomelo Labs, not an afterthought. This page documents our infrastructure, encryption, access controls, AI data practices, and incident response commitments.
Last updated: June 1, 2026
TLS 1.3
Encryption in transit
AES-256
Encryption at rest
72 hrs
Incident notice (GDPR)
Infrastructure
Hosted on SOC 2–certified infrastructure
The Pomelo Labs platform runs on two primary infrastructure providers — Vercel and Supabase — both of which hold SOC 2 Type II certification, meaning they undergo annual independent audits of their security, availability, and confidentiality controls.
- ✓Application layer: Next.js 15 application hosted on Vercel. Serverless edge functions handle API routing and middleware. Vercel's global CDN delivers static assets with sub-100ms edge latency.
- ✓Database and auth: Supabase provides PostgreSQL database hosting with built-in row-level security, Supabase Auth for user authentication, and Supabase Storage for file uploads.
- ✓AI inference: API calls to OpenAI and Anthropic are made server-side from Vercel functions. Your data never flows directly from the browser to AI providers.
- ✓Payments: Stripe handles all payment card data. Card numbers are tokenised by Stripe.js before reaching Pomelo Labs servers; we store only the last four digits and card type.
- ✓Data isolation: each organisation's data is logically separated in our PostgreSQL database via row-level security policies enforced by a mandatory org_id column on every user-facing table. A misconfigured query cannot leak data across organisations.
Encryption
Encrypted in transit and at rest
- ✓In transit: all connections between clients and our servers use TLS 1.3. Older TLS versions (1.0, 1.1) and weak cipher suites are disabled. HTTP requests are automatically redirected to HTTPS.
- ✓At rest: all data stored in Supabase (database rows, file uploads) is encrypted at rest using AES-256, managed by Supabase's infrastructure-level encryption.
- ✓OAuth tokens: integration tokens are held server-side, encrypted at rest by Supabase (see above), and access-scoped to your organization. They are used only during server-side API calls on your behalf, and are never returned to the frontend or logged.
- ✓Environment secrets: API keys for OpenAI, Anthropic, Stripe, DataForSEO, and Firecrawl are stored as encrypted environment variables in Vercel and are never exposed in client-side code or git history.
Authentication
Secure authentication with MFA support
- ✓Authentication is handled by Supabase Auth, which implements industry-standard JWT-based sessions with short expiry windows and refresh token rotation.
- ✓Multi-factor authentication (MFA) is available for all accounts via TOTP authenticator apps (e.g., Google Authenticator, 1Password). We recommend all users enable MFA.
- ✓Passwords are hashed using bcrypt with an appropriate work factor. We never store plaintext passwords.
- ✓Google OAuth is available as a sign-in method. We request only the minimum OAuth scopes required for sign-in (openid, email, profile) and separate integration-specific scopes are requested only when you connect a specific integration.
- ✓Session tokens are HTTP-only cookies with the Secure flag set, preventing JavaScript access and mitigating XSS-based token theft.
- ✓Failed login attempts are rate-limited to prevent brute-force attacks.
Access Controls
Role-based access within your organisation
Within each organisation, Pomelo Labs enforces role-based access control (RBAC) with three roles:
AdminFull access: manage team members, billing, integrations, brand settings, and all content.
EditorCan create, edit, and approve AI-generated content; manage projects; connect integrations. Cannot manage billing or team membership.
ViewerRead-only access to analytics, content queue, and agent outputs. Cannot edit or approve content.
Organisation Admins can invite, remove, and change the roles of team members from Settings → Team at any time. Pomelo Labs engineering staff access production systems only through a separate privileged access mechanism with audit logging. Staff with production database access are limited to those whose roles require it.
AI Data Practices
Your content is never used to train AI models
Our commitment
Your content, brand documents, drafts, and data are never used to train Pomelo Labs AI models or any third-party AI models, including those operated by OpenAI or Anthropic. We pass content to these providers only to fulfil your specific real-time request, under Data Processing Agreements that expressly prohibit use of customer data for model training.
- ✓OpenAI: we use the OpenAI API under an enterprise agreement that includes a zero-data-retention option for eligible endpoints. Content sent to OpenAI is not used to train OpenAI models.
- ✓Anthropic: we use the Anthropic API under terms that prohibit use of submitted data for model training.
- ✓DataForSEO: keyword and SERP data is fetched on-demand based on your queries. We do not send your website content or brand data to DataForSEO.
- ✓Firecrawl: your website is crawled once during onboarding to extract content for brand voice analysis. This crawl data is processed in memory and is not retained as training data.
- ✓Pomelo Labs does not build or fine-tune proprietary AI models using customer data.
Sub-processors
Third parties we work with
All sub-processors are bound by Data Processing Agreements (DPAs) restricting data use to providing services on our behalf. We notify customers of material additions to this list with at least 14 days advance notice.
| Provider | Role | Country | Certifications |
|---|
| Supabase | Auth, database, file storage | US | SOC 2 Type II |
| Vercel | Application hosting, edge functions, CDN | US / Global | SOC 2 Type II |
| OpenAI | AI content generation (gpt-image-1, GPT-4) | US | SOC 2 Type II |
| Anthropic | AI text generation and analysis (Claude) | US | SOC 2 Type II (in progress) |
| DataForSEO | SEO keyword data, SERP analysis, backlinks | US | GDPR compliant |
| Stripe | Payment processing, subscription billing | US | PCI DSS Level 1, SOC 2 Type II |
| Firecrawl | Website crawling during onboarding | US | GDPR compliant |
Data Resilience
Backups and disaster recovery
- ✓Automated daily backups of the Supabase PostgreSQL database, retained for 30 days.
- ✓Point-in-time recovery (PITR) is available via Supabase for restoring the database to any moment within the retention window.
- ✓File uploads (brand assets, generated images) are stored in Supabase Storage with object-level versioning.
- ✓Vercel maintains multi-region deployment infrastructure to minimise application downtime during provider-level incidents.
- ✓In the event of data loss, our target recovery point objective (RPO) is 24 hours and recovery time objective (RTO) is 4 hours.
Incident Response
How we respond to security incidents
We maintain an internal incident response plan with defined escalation paths, severity classifications, and communication timelines.
- ✓Detection: security events are monitored via Supabase audit logs, Vercel access logs, and application-level error tracking.
- ✓Triage: on-call engineering triages all potential security events within 4 hours of detection.
- ✓Containment: affected systems are isolated and credentials rotated as soon as an incident is confirmed.
- ✓Notification: affected users are notified within 72 hours of discovering a personal data breach, in compliance with GDPR Art. 33–34. We also notify relevant supervisory authorities within the required timeframes.
- ✓Post-incident: we conduct a root cause analysis after every confirmed security incident and publish a remediation summary to affected customers.
To report a security vulnerability, email security@pomeolabs.ai. We aim to acknowledge all reports within 24 hours and provide a remediation timeline within 5 business days. We do not pursue legal action against security researchers who disclose vulnerabilities responsibly.
Compliance Roadmap
Our certifications and roadmap
LiveGDPR Compliance
Data Processing Agreements in place with all sub-processors; SCCs for EU/UK data transfers; user rights workflow operational.
LiveCCPA Compliance
No sale of personal data; California rights fulfilled via privacy@pomeolabs.ai within 45-day window.
LivePCI DSS (via Stripe)
Card data is processed exclusively by Stripe (PCI DSS Level 1). Pomelo Labs never handles raw card numbers.
RoadmapSOC 2 Type II (Pomelo Labs)
We are actively pursuing SOC 2 Type II certification with a target audit completion of Q4 2026. Our infrastructure vendors (Vercel, Supabase) are already SOC 2 Type II certified.
Your Data Rights
Export and delete your data
- ✓Data export: you can export all your projects, content, analytics history, and account data as a JSON archive from Settings → Data Export at any time. No need to contact support.
- ✓Account deletion: you can permanently delete your account and all associated data from Settings → Account → Delete Account. Deletion is processed within 30 days.
- ✓Integration revocation: disconnect any integration (Google, Webflow) from Settings → Integrations. This immediately revokes the stored OAuth token.
- ✓Content deletion: individual content items, projects, and agent outputs can be deleted from within the platform at any time.
For additional requests — including access to data not available via self-service export, or if you need a formal data portability export in a specific format — contact privacy@pomeolabs.ai.