// SECURITY

How Kompozy handles your data

Plain-English documentation of what data we store, where, how it is encrypted, who can access it, and which third parties touch it.

Last updated: 2026-05-16

The short version

Kompozy stores three categories of data: account information (email, billing, plan tier), workspace content (your Persona Brief, sources, generated outputs, brand assets), and operational logs (API calls, error traces, usage metrics). Everything is encrypted in transit (TLS 1.3) and at rest (AES-256). Generated media lives in private storage buckets with 10-year signed URLs scoped to your user ID. API keys are encrypted at rest with a per-workspace envelope key.

1. Data storage

Kompozy runs on three primary infrastructure providers:

  • Supabase (US-East). Hosts the Postgres database, Auth, and Storage buckets. SOC 2 Type II certified. Daily backups with 7-day point-in-time recovery.
  • Vercel (Global edge). Hosts the Next.js application + serverless functions. SOC 2 Type II certified. Edge-cached static assets only; no customer data persists on Vercel infrastructure.
  • Trigger.dev (US-East). Runs the long-form generation workers (avatar video, blog renders, etc.). Workers do not persist customer data beyond run completion; output is uploaded to Supabase Storage.

2. Encryption

  • In transit: TLS 1.3 on all HTTPS traffic. HSTS preload with includeSubDomains.
  • At rest: AES-256 on all Supabase Postgres tables and Storage buckets.
  • API keys (HeyGen, ElevenLabs, OpenAI, Blotato, Mailchimp, etc.): Encrypted at rest with a per-workspace envelope key. Plaintext keys exist only in-memory at request time and are zeroed after use.
  • Backups: Same encryption as primary data; backups are scoped to the project and never cross-pollinate workspaces.

3. Access controls

  • Row-level security (RLS): Every database table has RLS policies that scope reads/writes to the authenticated user's ID. A user cannot read another user's generated content, sources, brand assets, or API keys — even via service role queries on the wrong tenant.
  • Service role usage: Service-role Supabase clients are used only in Trigger.dev workers and admin tooling. Every service-role query is logged and scoped to a specific user ID or workspace ID derived from the dispatch context.
  • Internal access: Only the founder (Moe Ameen) has direct production database access. Customer support accesses customer state through the admin console, which logs every action to the admin_actions audit table.
  • Customer admin actions are logged. Every customer-affecting admin action (pause billing, suspend account, refund, plan change, credits grant) writes to admin_actions with admin ID, customer ID, action type, reason, and timestamp.

4. Generated content storage

Kompozy generates significant volumes of media (avatar shorts, clipped video, image carousels, quote graphics). All generated media is uploaded to the generated-mediaSupabase Storage bucket immediately after generation completes. The bucket is private; URLs are signed with a 10-year TTL scoped to the user's ID. Provider URLs (OpenAI DALL-E, Kie, PiAPI, HeyGen) are never stored in the database — they expire in 30-60 minutes and shipping them would cause content to silently disappear from your posts.

You can export all generated content as JSON + media bundle from Settings → Data Export at any time. Account deletion wipes all workspace data within 30 days and is irreversible.

5. Third-party integrations (data egress)

Generated content workflows touch third-party APIs. Each integration receives only the data needed for the specific task and never receives your full workspace state. Integrations:

  • OpenAI / Anthropic / Google (LLMs): Receives generation prompts + Persona Brief context. Per OpenAI / Anthropic policy, API content is NOT used for model training. We use API endpoints, never consumer products.
  • HeyGen / ElevenLabs: Receives scripts + voice / avatar IDs for video generation. Outputs streamed back and uploaded to your Storage bucket.
  • Blotato / GHL (publishing): Receives the specific post content + your authorized social account credentials for publishing. Each publish call is per-platform, per-post.
  • Stripe (billing): Receives subscription events, plan changes, and credit-pack purchases. Stripe holds your card data, not us — we only store the customer ID.
  • Mailchimp (newsletter publishing): Receives newsletter draft content + your list ID at publish time.

We do not sell or share your data with advertising networks, data brokers, or AI model training pipelines.

6. Authentication

  • Supabase Auth handles all authentication. Email + password with optional magic-link sign-in.
  • Passwords are hashed with bcrypt (Supabase default). We never see your plaintext password.
  • Session tokens are HTTP-only cookies with secure + same-site flags. Auto-rotated every 60 minutes.
  • SSO and SAML are roadmap items for Enterprise tier; not currently shipped on Creator / Pro / Agency.
  • Account recovery requires email verification. We do not bypass authentication for support requests.

7. Compliance posture

  • SOC 2: Not yet certified. Roadmap target: Q4 2026. Until certified, we operate to SOC 2 controls but do not claim certification.
  • GDPR: Compliant for EU/UK customers. Data export and account deletion are self-service. Data processing agreement (DPA) available on request.
  • HIPAA: Not certified. Do not use Kompozy for protected health information.
  • FERPA: Not certified. Do not use Kompozy for educational records covered by FERPA.
  • FINRA / SEC: Not certified. Financial advisors and broker-dealers using Kompozy must run compliance review on every output before publishing.

8. Incident response

If you discover a security issue, email security@kompozy.io. We acknowledge within 24 hours and respond with remediation status within 5 business days for high-severity issues.

Material security incidents (data breach, unauthorized access, customer data exposure) trigger customer notification within 72 hours per GDPR requirements, including for non-EU customers.

9. Service availability

Kompozy targets 99.5% monthly uptime. Outages over 24 hours trigger pro-rated credit per the refund policy. Status page coming soon at status.kompozy.io.

10. Open questions

Email security@kompozy.io for any security questions not answered here. Enterprise customers can request a security review call before signing.

← Privacy Policy · Terms of Service · Refund Policy