Security and privacy at the core
IntentPath is built so that the safest path is the default. Here is how we protect your data and your visitors' data.
Row-Level Security & tenant isolation
Every row is scoped to an organization and enforced by database-level Row-Level Security. One tenant can never read or write another tenant's data, even through application bugs.
Least-privilege access
Roles (owner, admin, member, viewer) grant only the access each person needs. Internal access to production data is restricted, logged, and granted on a need-to-know basis.
Encrypted secrets
API keys and credentials are stored as environment variables and platform-managed secrets — never committed to source control or exposed to the browser.
Cookie-aware, consent-driven tracking
Tracking honors your configured consent mode. Non-essential cookies are only set with consent, and visitor choices are respected across sessions.
Data subject requests
Export or delete a data subject's records on request. Our pseudonymous data model makes fulfilling access and erasure requests straightforward.
Audit logs
Sensitive actions across organizations and websites are recorded in audit logs so you can review who did what, and when.
Subprocessors
We rely on a small set of vetted providers to operate the service.
| Name | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, storage | EU |
| Resend | Transactional email delivery | EU/US |
| Stripe | Billing and payment processing | EU/US |
| Google (Gemini API) | AI inference and embeddings | US |
| Vercel | Application hosting | Global |
A note on certifications
We believe in being honest about where we are. SOC 2 is not yet available. We have designed our architecture around the controls that matter most — tenant isolation, least-privilege access, and consent-aware tracking — and we will pursue formal certification as we grow.