← Back to home

Security

Last updated: May 2026

Security is a core part of how Deepheem is built. This page describes the technical and organisational measures we apply to protect your data and keep the platform secure. If you have a specific security concern or wish to report a vulnerability, contact us at support@deepheem.com.

1. Infrastructure and hosting

Deepheem is hosted on Vercel, a production-grade cloud platform. All traffic between your browser and our servers is encrypted using TLS 1.2 or higher. HTTPS is enforced on all routes — plain HTTP connections are automatically redirected.

Our database and authentication layer runs on Supabase, which is built on top of Amazon Web Services (AWS) infrastructure. Supabase maintains SOC 2 Type II compliance and applies industry-standard security controls at the infrastructure level.

2. Data encryption

  • In transit: All data transmitted between your device and Deepheem is encrypted via TLS. This includes your login credentials, investigation briefs, and generated reports.
  • At rest: Your data is stored in encrypted form on Supabase-managed PostgreSQL databases hosted on AWS. Encryption at rest is applied at the storage level using AES-256.
  • Passwords: Passwords are never stored in plain text. Supabase uses bcrypt hashing with salting for all password storage.

3. Authentication and access controls

Deepheem uses Supabase Auth for session management. Authentication tokens (JWTs) are short-lived and stored securely using HTTP-only cookies where applicable.

  • Password requirements: Passwords must be at least 10 characters and include an uppercase letter, a number, and a special character.
  • Google OAuth: Users who sign in with Google are authenticated directly through Google's identity infrastructure. We never receive or store your Google password.
  • Multi-factor authentication (MFA): Time-based one-time password (TOTP) MFA is available to all users and can be enabled in account settings.
  • Login notifications: Each new sign-in triggers a security alert email to your registered address, including device type, browser, and IP address.
  • Session management: You can view and revoke active sessions from your account settings. Automatic session timeout can be configured to 24 hours, 7 days, or 30 days.
  • Row-level security: Our database enforces row-level security (RLS) policies so that users can only access their own data. No user can query another user's investigations or profile.

4. Payment security

All payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor. Deepheem never receives, stores, or transmits your full card number, CVV, or bank account details. Stripe issues us only with a token reference to your payment method.

Stripe's security practices are documented at stripe.com/docs/security.

5. Data access and internal controls

  • Access to production systems and user data is restricted to essential personnel only.
  • Administrative access to the database requires authenticated, permissioned credentials.
  • We do not sell, rent, or share your personal data or investigation data with third parties for their own marketing or commercial purposes.
  • Your investigation briefs and reports are not used to train any AI model, including our own.

6. Third-party sub-processors

We use a limited number of trusted sub-processors to operate the platform. Each is bound by data processing agreements and maintains their own security standards:

Supabase
Database, authentication, and storage
Security page →
Vercel
Application hosting and deployment
Security page →
Stripe
Payment processing and subscription management
Security page →
Resend
Transactional email delivery
Security page →
Anthropic
AI investigation processing (Claude language model)
Security page →

7. Incident response

In the event of a security incident that affects your personal data, we will notify affected users without undue delay and in accordance with our obligations under UK GDPR. Where required, we will also notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of a notifiable breach.

We will communicate clearly about what data was affected, what steps we have taken, and what actions you should consider.

8. Vulnerability disclosure

If you discover a security vulnerability in Deepheem, we ask that you report it to us responsibly before making it public. Please send details to support@deepheem.com with the subject line "Security Vulnerability".

We will acknowledge your report within 3 business days, investigate promptly, and keep you informed of our progress. We will not take legal action against researchers who act in good faith and follow this responsible disclosure process.

9. Questions

If you have any questions about our security practices, contact us at support@deepheem.com.