Security

Your data is protected by design.

Infraova is built for agencies that manage sensitive client infrastructure. Security is not an afterthought it is a core architectural requirement. Here is exactly how we protect your data and your clients.

Our security practices

Data encrypted at rest and in transit

All data stored in Infraova is encrypted at rest using AES-256. All data in transit is encrypted via TLS 1.2 or higher. This applies to everything account data, domain records, alert configurations, and report content.

Row-level security on every table

Infraova uses Supabase with row-level security (RLS) enforced at the database layer. Every query is scoped to the authenticated organization it is architecturally impossible for one organization to read or write another organization's data.

Role-based access control

Every action in Infraova is gated by role. Admin and Member roles are enforced server-side on every request not just in the UI. Sensitive operations (team management, billing, organization deletion) require Admin privileges.

Secure authentication

Authentication is handled by Supabase Auth, which implements industry-standard security practices including secure session management, token rotation, and protection against common attacks such as CSRF and session fixation.

Minimal data collection

Infraova collects only the data required to operate the service. We do not sell data, share it with third parties for advertising, or retain it beyond what is necessary. Domain names submitted for monitoring are used solely for health checks.

Infrastructure security

Infraova runs on Vercel (application layer) and Supabase (database layer) both of which maintain their own security certifications and infrastructure controls. We inherit enterprise-grade infrastructure security without building it ourselves.

Audit logging

Key actions within Infraova domain additions, alert configuration changes, team membership changes, billing events are logged with timestamps and user attribution. Organization admins can review activity through the dashboard.

Regular dependency updates

We actively monitor and update dependencies to address known vulnerabilities. Critical security patches are applied as a priority. We track advisories for all major dependencies in the Infraova stack.

Infrastructure & third-party providers

Infraova is built on infrastructure providers that maintain their own rigorous security certifications. We deliberately chose providers with strong security postures so our customers benefit from enterprise-grade protection from day one.

Vercel

Application hosting

SOC 2 Type II certified. Global edge network with DDoS protection.

Security page →

Supabase

Database & authentication

SOC 2 Type II certified. PostgreSQL with RLS, encrypted backups, and point-in-time recovery.

Security page →

Resend

Transactional email

Email delivery for alerts, reports, and invitations. SPF, DKIM, and DMARC configured.

Security page →

Paddle

Payment processing

PCI DSS Level 1 certified Merchant of Record. Card data never touches Infraova servers.

Security page →

Responsible disclosure

If you discover a security vulnerability in Infraova, please report it to us privately before disclosing it publicly. We take all security reports seriously and will respond within 48 hours.

security@infraova.com

Have a security question?

If you have questions about how Infraova handles your data, we are happy to answer them.

Contact security team