Security & Compliance
Last Updated: October 2025
Security & Compliance Statement
Version 1.0 — October 2025 Entity: Journey Bound Media, LLC dba DecodeIQ Jurisdiction: State of New Mexico, United States Contact: Security Email
1. Security Philosophy
DecodeIQ's architecture treats security as structure, not as an afterthought. Our guiding principle mirrors our product thesis: build protection at the source layer. Controls are embedded in every data-handling stage—from ingestion through retrieval—so information is protected by design and by default.
2. Infrastructure Overview
| Layer | Provider | Function |
|---|---|---|
| Application | Vercel (Next.js 15) | Edge-rendered app hosting |
| Database / Auth / Storage | Supabase (Postgres, Auth, Storage, Edge Functions) | Persistent data, user management, job orchestration |
| Vector Index | Pinecone Serverless (AWS us-east-1) | Semantic embeddings and retrieval |
| CDN / DNS / WAF | Cloudflare | DDoS protection, global caching, TLS termination |
| Payments | Stripe | Subscription billing |
| SERP / Ingestion | Bright Data, SpiderCloud | SERP-validated and network-aware content ingestion |
| AI Providers | OpenAI, Anthropic, Google Gemini | Text and semantic analysis models |
| Analytics | PostHog, Google Analytics | Usage and performance telemetry |
| Monitoring | Vercel Logs, Supabase Telemetry, PostHog Alerts | Unified observability |
All providers execute under written Data Processing Agreements and SCC/DPF mechanisms.
3. Data Protection Controls
3.1 Encryption
- At rest: AES-256 via Supabase and Pinecone native encryption.
- In transit: TLS 1.3 enforced end-to-end.
- Key management: Provider-managed, rotated every 90 days.
3.2 Access Control
- Role-based access (RBAC) for internal users.
- Multi-factor authentication (MFA) required for all admin accounts.
- Supabase Row-Level Security (RLS) isolates each workspace.
- Principle of Least Privilege applied to all service roles.
3.3 Authentication
- OAuth 2.0 and JWT-based Supabase Auth.
- Passwords stored as bcrypt hashes; no plaintext recovery.
3.4 Network Security
- Cloudflare Web Application Firewall (WAF) blocks malicious traffic.
- DDoS mitigation and rate limiting on all API endpoints.
- Edge functions run statelessly to minimize attack surface.
4. Monitoring, Logging, and Telemetry
- Application Logs: captured via Vercel and Supabase for error analysis.
- Usage Metrics: aggregated through PostHog and Google Analytics (IP anonymized).
- Marketing Attribution: LinkedIn, Reddit, X, and Meta pixels load only after consent.
- Access Auditing: every privileged action logged with timestamp and actor ID.
- Retention: operational logs ≤ 90 days; anonymized telemetry retained for trend analysis.
5. Backup and Disaster Recovery
| Metric | Target |
|---|---|
| Recovery Point Objective (RPO) | 24 hours |
| Recovery Time Objective (RTO) | 15 minutes |
| Backup Frequency | Continuous incremental with daily snapshot |
| Backup Retention | 30-day rolling window |
| Storage | Encrypted, provider-managed (Supabase + AWS S3) |
Disaster-recovery playbooks are tested semi-annually.
6. Incident Response Protocol
Detection → Containment → Notification → Remediation
- Automated anomaly detection via PostHog alerts and Supabase telemetry.
- Incident triage within 2 hours of alert.
- Notification to affected customers and regulators within 72 hours if a Personal Data Breach is confirmed (per GDPR Art. 33).
- Root-cause analysis and mitigation documented in internal audit logs.
Contact: Security Email
7. Compliance Framework Alignment
| Standard / Regulation | DecodeIQ Control Mapping |
|---|---|
| GDPR | DPA v1.0 Sections 7–10 · RLS isolation · 72 h breach policy |
| CCPA / CPRA | No sale of personal data · Opt-out rights via Privacy Email |
| SOC 2 Type II (Reference) | Encryption, access control, change management (provider-inherited) |
| ISO 27001 (Reference) | Risk management, business continuity, security ownership |
| PCI-DSS | Stripe certified; DecodeIQ never stores card data |
| EU–U.S. Data Privacy Framework | Active participation through listed subprocessors |
DecodeIQ periodically reviews alignment with these frameworks and updates controls accordingly.
8. Data Retention and Deletion
| Data Type | Retention | Deletion Mechanism |
|---|---|---|
| Active workspace data | Lifecycle of subscription | Manual or automatic upon termination |
| Briefs / draft outputs | ≤ 30 days post-generation | Automated purge |
| Logs / telemetry | ≤ 90 days | Rolling deletion |
| Billing records | 7 years | Legal compliance |
| Backups | 30-day rotation | Encrypted destruction |
Verification of deletion available upon request.
9. Vendor and Third-Party Management
Before onboarding any Sub-Processor, DecodeIQ:
- Performs a security assessment (SCC/DPF verification, SOC 2 review).
- Executes a written DPA.
- Publishes the vendor on the Sub-Processor List.
- Re-evaluates vendors annually.
10. Customer Responsibilities
Customers must:
- Maintain secure credentials and MFA for workspace admins.
- Limit access to authorized personnel.
- Use the Platform only for lawful purposes.
- Report suspected vulnerabilities to Security Email.
11. Vulnerability Management
- Dependency scanning integrated in CI/CD pipeline.
- Critical vulnerabilities patched within 72 hours of disclosure.
- Penetration testing conducted annually by external partner.
- Responsible-disclosure program accepts reports at Security Email.
12. Breach Notification History
As of October 18 2025, DecodeIQ has experienced no reportable personal-data breaches under GDPR or CCPA thresholds.
13. Continuous Improvement
Security and compliance are evaluated quarterly by DecodeIQ's engineering leadership. Audit logs, metrics, and incident records are reviewed to maintain the 70%+ gross-margin / 99.5%-uptime service targets without compromising data protection.
14. Contact
Journey Bound Media, LLC dba DecodeIQ Albuquerque, New Mexico, USA Security Email
Effective Date: October 18 2025 Version: 1.0