How we protect your ideas

Organisation isolation

Every piece of data in SaaSValidatr is scoped to your organisation using PostgreSQL Row-Level Security (RLS). This isn't application-level filtering that could have bugs — it's enforced at the database layer. Queries physically cannot return data from another organisation.

Every table — ideas, scores, comments, reactions, projects, infrastructure, notifications — is protected by the same RLS policy. There are no exceptions.

AI processing

When you submit an idea, it's sent to Anthropic's Claude API for scoring. Under Anthropic's API terms:

• Your data is not used for model training
• Inputs and outputs are not stored by Anthropic beyond 30 days
• Data is processed, not retained

We don't use any other AI providers. Your ideas only touch Claude's API, and only for the specific analysis you request.

Anonymous scoring

When your team scores ideas, identities are hidden until everyone has voted. Score notification emails say “A team member scored your idea” — they never reveal who. Scores are immutable after submission.

This isn't just a UI choice — the API enforces it. There is no endpoint that reveals who scored what before the deadline.

Encryption

All data is encrypted in transit via TLS 1.3. Data at rest is encrypted by our database provider (Supabase/AWS). Passwords are hashed, never stored in plain text.

Authentication and access

• Email/password authentication with optional WebAuthn passkeys (biometric login)
• Every API route verifies authentication before processing
• Rate limiting on all endpoints to prevent abuse
• Admin actions (inviting users, changing roles) require admin role verification
• Cross-org access is blocked at both the API and database level

Third-party services

We use a minimal set of trusted providers, each with their own security commitments:

Your data, your control

You can delete all your data at any time from Settings. This permanently removes all ideas, scores, comments, reactions, AI analysis, projects, and infrastructure — instantly and irreversibly. We don't keep backups of deleted data.

What we don't do

• We don't sell your data to anyone
• We don't train AI models on your ideas
• We don't share your content with other organisations
• We don't use third-party advertising or tracking cookies
• We don't access your idea content for any purpose other than delivering the service

AWS KMS encryption

Your ideas are encrypted at rest using AWS Key Management Service with a unique encryption key per organisation. Keys are managed by AWS — not stored in our codebase or database. Every encryption and decryption event is logged to an audit trail visible to you in Settings.

During AI scoring, your idea is decrypted in server memory, sent to Anthropic's API over TLS, and discarded after the response. The plaintext exists in memory for seconds. At rest, it's always encrypted.

Found a vulnerability?

We maintain an active bug bounty programme. If you find a security issue, we want to know about it — and we'll pay you for it.

• Report via HackerOne or email security@saasvalidatr.com
• Critical findings (RLS bypass, auth bypass): up to $500
• We respond within 48 hours and triage within 7 days
• Full details in our SECURITY.md

Open source & transparency

Our security-critical code is open source on GitHub — RLS policies, auth middleware, encryption module, rate limiting. Anyone can audit how we protect your data.

We publish a quarterly transparency report showing platform stats, security incidents (zero to date), and accountability metrics.