Security and privacy at the core

IntentPath is built so that the safest path is the default. Here is how we protect your data and your visitors' data.

Row-Level Security & tenant isolation

Every row is scoped to an organization and enforced by database-level Row-Level Security. One tenant can never read or write another tenant's data, even through application bugs.

Least-privilege access

Roles (owner, admin, member, viewer) grant only the access each person needs. Internal access to production data is restricted, logged, and granted on a need-to-know basis.

Encrypted secrets

API keys and credentials are stored as environment variables and platform-managed secrets — never committed to source control or exposed to the browser.

Cookie-aware, consent-driven tracking

Tracking honors your configured consent mode. Non-essential cookies are only set with consent, and visitor choices are respected across sessions.

Data subject requests

Export or delete a data subject's records on request. Our pseudonymous data model makes fulfilling access and erasure requests straightforward.

Audit logs

Sensitive actions across organizations and websites are recorded in audit logs so you can review who did what, and when.

Subprocessors

We rely on a small set of vetted providers to operate the service.

NamePurposeRegion
SupabaseDatabase, authentication, storageEU
ResendTransactional email deliveryEU/US
StripeBilling and payment processingEU/US
Google (Gemini API)AI inference and embeddingsUS
VercelApplication hostingGlobal

A note on certifications

We believe in being honest about where we are. SOC 2 is not yet available. We have designed our architecture around the controls that matter most — tenant isolation, least-privilege access, and consent-aware tracking — and we will pursue formal certification as we grow.