FeaturesAgentsPricingFAQLog InStart Free Audit
Security

Security at GeoStorm

Your data protection is our priority

GeoStorm processes sensitive business data \u2014 your brand information, competitor intelligence, and AI visibility metrics. We take the security of this data seriously. Here's how we protect it.

Infrastructure

  • Hosting: Our application runs on Render.com with automatic TLS termination, DDoS protection, and isolated compute environments
  • Database: All data is stored in Supabase (PostgreSQL) with encryption at rest (AES-256) and in transit (TLS 1.3)
  • CDN: Static assets served through a global edge network with automatic HTTPS

Authentication & Access Control

  • Authentication: Powered by Supabase Auth with support for email/password and Google OAuth 2.0
  • Password security: Passwords are hashed using bcrypt with appropriate cost factors. We never store plaintext passwords
  • Row-Level Security: Every database table enforces row-level security (RLS) policies. Users can only access their own data \u2014 enforced at the database level, not just the application level
  • JWT-based sessions: Stateless session tokens with automatic expiration and refresh
  • Admin access: Separate admin authentication with restricted access. No shared credentials

Data Handling

  • Encryption in transit: All connections use TLS 1.3. No unencrypted HTTP traffic is accepted
  • Encryption at rest: Database storage encrypted with AES-256
  • Payment data: All payment processing handled by Stripe. We never see, store, or process credit card numbers. Stripe is PCI DSS Level 1 certified
  • API keys: Third-party API keys (OpenAI, Anthropic, Perplexity, Google) are stored as encrypted environment variables, never in source code or client-side bundles
  • Data isolation: Multi-tenant architecture with strict tenant isolation. One customer's data is never accessible to another

AI Engine Interactions

GeoStorm queries AI engines (ChatGPT, Perplexity, Gemini, Claude, Google AI) on your behalf to monitor brand visibility. Important details:

  • We send industry-relevant prompts to AI engines \u2014 these prompts do not contain your private data
  • AI engine responses are stored in our database to track citation trends over time
  • We use official APIs from OpenAI, Anthropic, Google, and Perplexity with enterprise-grade rate limits
  • Your brand data is not used to train any AI models

Development Practices

  • Code review: All code changes go through review before deployment
  • Dependency monitoring: Automated vulnerability scanning of all dependencies
  • Environment separation: Strict separation between development, staging, and production environments
  • Secret management: All secrets stored as environment variables, never committed to source control
  • Input validation: All user inputs validated and sanitized on both client and server

Incident Response

In the event of a security incident:

  • We will investigate and contain the issue immediately
  • Affected users will be notified within 72 hours
  • A post-incident report will detail what happened, what data was affected, and what steps we've taken to prevent recurrence

Responsible Disclosure

If you discover a security vulnerability in GeoStorm, please report it to support@geostorm.io with the subject line “Security Vulnerability”. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we've had an opportunity to address them.

Questions

For security-related questions, contact us at:
support@geostorm.io