Security

Bronsik's backend runs on Supabase — enterprise-grade cloud infrastructure that meets SOC 2 Type II and ISO 27001 compliance standards.

• Transport security: All data between your browser (or the Android app) and our servers is encrypted using TLS 1.2 or higher. Connections using outdated protocols are refused.
• Data at rest: All stored data — accounts, session records, usage data, and memory summaries — is encrypted at rest using AES-256.
• Database access: No public database endpoints are exposed. Row-Level Security (RLS) is enforced at the database level, ensuring authenticated queries can only access data belonging to the authenticated user.
• Environment isolation: Production, staging, and development environments are fully isolated with separate credentials, access controls, and databases.
• HTTPS enforcement: HSTS (HTTP Strict Transport Security) headers are set to prevent protocol downgrade attacks. All HTTP traffic is redirected to HTTPS.

• Password hashing: Passwords are never stored in plain text. We use bcrypt hashing with per-user salts before storage.
• JWT tokens: Sessions are managed via short-lived JSON Web Tokens (JWT), cryptographically signed and verified on every request. Access tokens expire after 1 hour; refresh tokens expire after 7 days of inactivity.
• OAuth 2.0: Google Sign-In uses the OAuth 2.0 protocol. We never receive or store your Google password — only a verified email and display name.
• Rate limiting: Authentication endpoints (login, signup, password reset) are rate-limited to prevent brute-force and credential stuffing attacks.
• Session management: You can sign out at any time from the app, which invalidates your session tokens. Clearing app data on Android or clearing browser cookies also terminates all active sessions.
• Account deletion: You can permanently delete your account from Settings → Account. This immediately revokes all sessions and schedules all your data for deletion within 30 days.

Your conversations are private by design. Here is exactly how they are handled:

• Text conversations: Messages are sent via encrypted HTTPS to our AI inference provider (Groq). Conversations are processed in real-time and are not stored on our servers by default. If you enable the Memory feature (Max plan), only summarized conversation context is stored — never full transcripts — and only accessible by you.
• Voice input: Microphone audio is either streamed over encrypted WebSocket or sent as an encrypted API call to our speech-to-text provider (OpenAI Whisper). Raw audio is not stored after transcription. Only the resulting text transcript is briefly used for the AI response, then discarded.
• AI responses (TTS): Text-to-speech audio is streamed directly to your device and is not stored on our servers.
• No conversation logging for training: We do not log or store your conversations for AI training or any other purpose without your explicit consent.

All payment processing is handled by LemonSqueezy, a PCI DSS compliant payment processor. We never receive, transmit, or store your raw payment card number or banking details. LemonSqueezy tokenizes all payment information before it reaches our systems.

Our servers only receive a customer ID and subscription status — never raw financial data. Payment-related webhooks from LemonSqueezy are verified using cryptographic signature validation before processing.

• Principle of least privilege: Team members have access only to the systems and data required for their specific role. No one has blanket access to all user data.
• Row-Level Security (RLS): Database policies at the infrastructure level enforce that an authenticated user's queries can only read or modify their own data — not other users' records.
• API authentication: Every request to a protected API endpoint is authenticated via JWT verification. Unauthenticated requests are rejected with a 401 response.
• Input validation and sanitization: All incoming API payloads are validated and sanitized to prevent injection attacks including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.
• Content Security Policy: CSP headers are set on web responses to mitigate XSS risks from injected scripts.

We take platform safety seriously and have implemented multiple layers of abuse prevention:

• Rate limiting: All API endpoints are rate-limited. General API: 500 requests per 15 minutes. Chat/AI endpoints: 30 requests per minute. Checkout: 10 requests per hour. These limits prevent automated abuse and protect server resources for all users.
• Usage caps: Voice usage is capped per session (maximum 4 hours per session) to prevent billing abuse and runaway usage by automated clients.
• Webhook idempotency: Payment webhooks from LemonSqueezy are processed with idempotency checks — each event is only processed once, preventing duplicate subscription activations.
• Acceptable use enforcement: We monitor for patterns indicating violation of our Acceptable Use Policy (Terms of Service, Section 7). Accounts found to be abusive may be suspended without prior notice.

We maintain basic monitoring to detect and respond to unusual patterns that may indicate security threats or abuse:

• Authentication anomalies: Multiple failed login attempts from the same IP trigger temporary rate limiting and may result in a temporary lockout.
• Unusual usage patterns: Abnormally high API usage rates that exceed normal human interaction patterns are flagged for review. This helps identify compromised accounts or automated abuse.
• Webhook validation: All payment processor webhooks are cryptographically verified before being acted upon, protecting against forged payment events.
• Error monitoring: Application-level errors are logged (without storing user content) to allow us to detect and fix security issues quickly.

If we detect suspicious activity on your account, we may contact you at the email address on file to verify your identity before taking any action.

We carefully evaluate the security practices of every provider we integrate with. Our key providers:

• Supabase (Database & Auth) — SOC 2 Type II, ISO 27001 certified. Enterprise cloud hosting with full encryption and RLS.
• Groq (AI Inference) — Enterprise-grade API security. Data processed in isolated environments with zero retention commitments.
• OpenAI (Voice Processing) — SOC 2 Type II certified. Audio data is not retained after the API request completes.
• LemonSqueezy (Payments) — PCI DSS compliant. No raw card data reaches our servers.

We only share data with third parties to the minimum extent necessary to provide the Service. We do not sell user data to any third party.

We take security vulnerabilities seriously and appreciate responsible disclosure from the security community. If you discover a security issue with Bronsik, please report it privately before any public disclosure.

• Security email: security@bronsik.cloud
• Acknowledgement: We will confirm receipt within 24 hours
• Status update: We will provide an update within 72 hours
• In scope: Authentication bypass, data access between users, injection vulnerabilities, insecure direct object references, payment logic flaws
• Out of scope: Social engineering, denial-of-service attacks, attacks on third-party infrastructure, theoretical vulnerabilities without proof of concept

We do not take legal action against researchers who disclose vulnerabilities in good faith and follow responsible disclosure principles. We cannot offer bug bounties at this time, but we will publicly acknowledge contributions where the researcher consents.

In the event of a security incident affecting user data:

• We will notify affected users within 72 hours of discovery, in compliance with GDPR Article 33 and applicable breach notification laws
• Notifications will be sent to the email address associated with your account
• We will explain clearly: what happened, what data was affected, what we have done in response, and what actions (if any) you should take
• We will not delay notifications to protect our reputation — transparency in incidents is a commitment we make to our users

• Application dependencies are regularly reviewed and updated to patch known vulnerabilities (CVEs)
• Security patches are applied as soon as they are available and tested
• HTTPS is enforced with HSTS headers to prevent protocol downgrade attacks
• Content Security Policy (CSP) headers mitigate cross-site scripting risks
• API endpoints are protected against CSRF with appropriate validation
• Database schemas enforce type safety and constraints to prevent malformed data
• Production server logs do not contain personally identifiable conversation content

No system is perfectly secure. We have built Bronsik with security as a foundational concern — not an afterthought — but we are a small team and we will not make promises we cannot keep.

What we can honestly say: we follow industry-standard practices for encryption, authentication, access control, and abuse prevention. We use established, well-audited infrastructure providers. We monitor for anomalies and respond to incidents promptly.

What we will not claim: that we are impenetrable, that no breach is ever possible, or that our security is equivalent to that of large enterprises with dedicated security teams. We are honest about who we are and what we can do — and we are committed to continuous improvement.

If you ever have concerns about the security of your account or data, please contact us. We will always take your concerns seriously.

For security-related concerns or vulnerability reports, contact us directly:

• Security issues: security@bronsik.cloud
• Privacy questions: privacy@bronsik.cloud
• General support: support@bronsik.cloud