Effora AI

Security at Effora AI

Your leads, conversations, and revenue data are the most sensitive assets in your business. Here's exactly how we protect them.

Data encryption

  • All data in transit protected by TLS 1.3 with HSTS preloading
  • Integration credentials (Razorpay, Cal.com, ManyChat) encrypted at rest using AES-256-GCM before storage
  • Supabase database encryption at rest (AES-256)
  • Environment secrets stored in Vercel's encrypted secret store, never in source code

Access control

  • Row-Level Security (RLS) on every Supabase table — zero cross-org data exposure enforced at the database layer
  • Service-role credentials never sent to the browser — all privileged operations run server-side only
  • Multi-tier auth: Supabase Auth + Google OAuth 2.0 with PKCE
  • Per-org membership roles: owner, admin, member with explicit permission checks on every API route

Infrastructure

  • Hosted on Vercel (SOC 2 Type II) + Supabase (SOC 2 Type II, ISO 27001)
  • No personal data leaves India/EU regions (Supabase region selected at project creation)
  • Connection pooling via PgBouncer — no persistent long-lived DB connections from serverless functions
  • Automated weekly dependency updates via GitHub Dependabot

Monitoring & incident response

  • Server-side error log (error_log table) captures all unhandled exceptions with route + org context
  • Audit log records all sensitive actions: login, subscription changes, credential updates, plan upgrades/downgrades
  • Admin dashboard at /admin/health shows live quota usage and error counts
  • Security issues: email security@Effora AI.app (or open a GitHub security advisory for responsible disclosure)

Application security

  • Content Security Policy on all routes: restricts script, frame, and connection sources
  • Webhook signatures verified via HMAC-SHA256 for all incoming webhooks (Cal.com, Razorpay)
  • Rate limiting on all public endpoints (Upstash Redis sliding window in production)
  • Prompt injection mitigations: user input wrapped in delimiters and sanitized before LLM calls
  • Input validation with Zod on all form-facing API routes

AI data handling

  • Lead message content sent to Groq (US-hosted) only for qualification and draft generation
  • No lead personal data stored by Groq — Groq's API is stateless with no training on API traffic
  • AI message quotas enforced per plan tier — no runaway spend possible
  • Coach can delete all org data via account deletion (cascades to all tables via FK ON DELETE CASCADE)

Found a vulnerability?

Please disclose responsibly. Email security@Effora AI.app with details. We aim to respond within 48 hours and will credit researchers in our changelog.