Security

Authentication

User authentication is managed by Clerk, an enterprise-grade authentication provider. We support email/password and social login (GitHub, Google). Session management and token refresh are handled securely by Clerk's infrastructure. Protected routes are enforced via middleware that validates authentication state on every request.

Token Encryption

When you connect a third-party service, the OAuth access token and refresh token are encrypted using AES-256-GCM before being stored in our database. The encryption uses a unique initialization vector (IV) per token and produces an authenticated ciphertext with integrity verification. Tokens are only decrypted in-memory during active data extraction and are never logged or exposed in error messages.

Payment Security

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We never see, store, or process credit card numbers. Stripe webhook events are verified using cryptographic signatures before processing.

Infrastructure

HandoffAI is hosted on Vercel's serverless platform with automatic HTTPS/TLS encryption for all traffic. Our database is hosted on Supabase with enterprise-grade PostgreSQL, including automated backups, row-level security capabilities, and encrypted connections. All inter-service communication uses TLS 1.2 or higher.

AI Data Handling

Project data sent to AI providers (Anthropic, OpenRouter) for handoff generation is processed in real-time and is not stored by the AI providers for model training. We use API-based access with authentication and do not share data beyond what is necessary for document generation.

Rate Limiting

All API endpoints are protected by rate limiting to prevent abuse. This includes limits on handoff generation, OAuth connections, and general API usage.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly by emailing admin@handoffai.com. We take all reports seriously and will respond within 48 hours.