Security & Compliance
Last Updated: May 2026
Security & Compliance Statement
Version 1.2, May 2026 Entity: Journey Bound Media, LLC dba DecodeIQ Jurisdiction: State of New Mexico, United States Contact: Security Email
1. Security Philosophy
DecodeIQ's architecture treats security as structure, not as an afterthought. Our guiding principle mirrors our product thesis: build protection at the source layer. Controls are embedded in every data-handling stage, from ingestion through retrieval, so information is protected by design and by default.
2. Infrastructure Overview
| Layer | Provider | Function |
|---|---|---|
| Application | Vercel (Next.js 15) | Edge-rendered app hosting |
| Database / Auth / Storage | Supabase (Postgres, Auth, Storage) | Persistent data, user management, realtime |
| Async Pipeline / Jobs | Trigger.dev | MNSU scan pipeline orchestration & background jobs |
| Vector Index | Pinecone Serverless (AWS us-east-1) | Buyer intelligence embeddings and retrieval |
| CDN / DNS / WAF | Cloudflare | DDoS protection, global caching, TLS termination |
| Payments | Stripe | Subscription billing |
| AI Providers | OpenAI, Anthropic, Google Gemini | Text extraction and buyer intelligence models |
| Analytics | PostHog, Google Analytics | Usage and performance telemetry |
| Monitoring | Vercel Logs, Supabase Telemetry, Sentry, PostHog Alerts | Unified observability and error tracking |
All providers execute under written Data Processing Agreements and SCC/DPF mechanisms.
3. Data Protection Controls
3.1 Encryption
- At rest: AES-256 via Supabase and Pinecone native encryption.
- In transit: TLS 1.3 enforced end-to-end.
- Key management: Provider-managed, rotated every 90 days.
3.2 Access Control
- Role-based access (RBAC) for internal users.
- Multi-factor authentication (MFA) required for all admin accounts.
- Supabase Row-Level Security (RLS) isolates each workspace.
- Principle of Least Privilege applied to all service roles.
3.3 Authentication
- OAuth 2.0 and JWT-based Supabase Auth.
- Passwords stored as bcrypt hashes; no plaintext recovery.
3.4 Network Security
- Cloudflare Web Application Firewall (WAF) blocks malicious traffic.
- DDoS mitigation and rate limiting on all API endpoints.
- Upstash Redis rate limiting on sensitive endpoints (downloads, contact forms).
- Cloudflare Turnstile bot protection on authentication flows and form submissions.
- Content Security Policy (CSP) enforced on all routes with restricted directives.
- Next.js API routes run as stateless serverless functions on Vercel to minimize attack surface.
4. Monitoring, Logging, and Telemetry
- Application Logs: captured via Vercel, Supabase, and Sentry for error analysis.
- Usage Metrics: aggregated through PostHog and Google Analytics (IP anonymized).
- Marketing Attribution: LinkedIn, Reddit, X, and Meta pixels load only after consent.
- Access Auditing: every privileged action logged with timestamp and actor ID.
- Retention: operational logs ≤ 90 days; anonymized telemetry retained for trend analysis.
5. Backup and Disaster Recovery
| Metric | Target |
|---|---|
| Recovery Point Objective (RPO) | 24 hours |
| Recovery Time Objective (RTO) | 15 minutes |
| Backup Frequency | Continuous incremental with daily snapshot |
| Backup Retention | 30-day rolling window |
| Storage | Encrypted, provider-managed (Supabase + AWS S3) |
Disaster-recovery playbooks are tested semi-annually.
6. Incident Response Protocol
Detection → Containment → Notification → Remediation
- Automated anomaly detection via PostHog alerts and Supabase telemetry.
- Incident triage within 2 hours of alert.
- Notification to affected customers and regulators within 72 hours if a Personal Data Breach is confirmed (per GDPR Art. 33).
- Root-cause analysis and mitigation documented in internal audit logs.
Contact: Security Email
7. Compliance Framework Alignment
| Standard / Regulation | DecodeIQ Control Mapping |
|---|---|
| GDPR | DPA v1.1 Sections 7–10 · RLS isolation · 72 h breach policy |
| CCPA / CPRA | No sale of personal data · Opt-out rights via Privacy Email |
| SOC 2 Type II (Reference) | Encryption, access control, change management (provider-inherited) |
| ISO 27001 (Reference) | Risk management, business continuity, security ownership |
| PCI-DSS | Stripe certified; DecodeIQ never stores card data |
| EU-U.S. Data Privacy Framework | Active participation through listed subprocessors |
DecodeIQ periodically reviews alignment with these frameworks and updates controls accordingly.
8. Data Retention and Deletion
| Data Type | Retention | Deletion Mechanism |
|---|---|---|
| Active workspace data | Lifecycle of subscription | Manual or automatic upon termination |
| Analysis data (Voice Maps, generated content) | While the account remains active | Deleted on account deletion |
| Scan records (queries and collected public data) | While the account remains active; de-identified and retained as aggregate corpus after account deletion | User link removed on deletion |
| Logs / telemetry | ≤ 90 days | Rolling deletion |
| Billing records | 7 years | Legal compliance |
| Backups | 30-day rotation | Encrypted destruction |
Verification of deletion available upon request.
9. Vendor and Third-Party Management
Before onboarding any Sub-Processor, DecodeIQ:
- Performs a security assessment (SCC/DPF verification, SOC 2 review).
- Executes a written DPA.
- Publishes the vendor on the Sub-Processor List.
- Re-evaluates vendors annually.
10. Customer Responsibilities
Customers must:
- Maintain secure credentials and MFA for workspace admins.
- Limit access to authorized personnel.
- Use the Service only for lawful purposes.
- Report suspected vulnerabilities to Security Email.
11. Vulnerability Management
- Dependency scanning integrated in CI/CD pipeline (pnpm audit, automated on every build).
- Critical vulnerabilities patched within 72 hours of disclosure.
- Security audit completed May 2026 using OWASP ZAP, Nuclei, Mozilla Observatory, Supabase Security Advisors, and manual RLS verification. Zero critical or high-severity findings.
- Content Security Policy enforced with restricted directives (object-src, base-uri, form-action, frame-ancestors).
- Row-Level Security verified on all 19 database tables with ownership-scoped policies.
- Responsible-disclosure program accepts reports at Security Email.
12. Breach Notification History
As of May 27, 2026, DecodeIQ has experienced no reportable personal-data breaches under GDPR or CCPA thresholds.
13. Continuous Improvement
Security and compliance are evaluated quarterly by DecodeIQ's engineering leadership. Audit logs, metrics, and incident records are reviewed to maintain the 99.5%-uptime service target without compromising data protection.
14. Contact
Journey Bound Media, LLC dba DecodeIQ Albuquerque, New Mexico, USA Security Email
15. Security Audit Reports
DecodeIQ conducts periodic security audits using industry-standard tools and publishes the results transparently.
| Date | Scope | Tools | Result | Report |
|---|---|---|---|---|
| May 2026 | Full platform (marketing + app) | OWASP ZAP, Nuclei, Mozilla Observatory, pnpm audit, Supabase Advisors, RLS sweep | Zero critical or high-severity findings | Read the full audit report |
Effective Date: May 27, 2026 Version: 1.2