Security

How we protect your data.

Cerna is built on top of well-audited infrastructure and we keep the trust surface deliberately small. Here’s how the pieces fit together.

Encryption

  • In transit: all traffic to and from cerna.app is served over TLS 1.2+.
  • At rest: stored data is encrypted by our database provider (Supabase / AWS-managed Postgres) using AES-256.

Authentication

Authentication is handled by Supabase Auth. Today, signup is via GitHub OAuth. Email-and-password and additional providers are on the roadmap. We never see your GitHub credentials — OAuth tokens are issued and stored by Supabase.

Session cookies are HTTP-only and scoped to the cerna.app domain.

Database security

All tables containing user data have row-level security (RLS) enforced. Application traffic uses the anonymous role and can only ever see rows that belong to the authenticated user.

The service-role key — which bypasses RLS — is restricted to a small set of server-only code paths (background jobs, scan workers) and is never exposed to the browser.

Secrets management

API keys for our model providers, search providers, and integrations are stored as encrypted environment variables in Vercel and Trigger.dev. They are never committed to source control. Access to production secrets is restricted to the founding team.

Third-party processors

We rely on a small number of vendors to operate Cerna. Each operates under its own security program; the ones with formal certifications today include:

  • Supabase — SOC 2 Type II
  • Vercel — SOC 2 Type II, ISO 27001
  • Stripe — PCI DSS Level 1, SOC 2 Type II, ISO 27001
  • Google Cloud (Gemini) — SOC 1/2/3, ISO 27001, ISO 27018
  • Anthropic — SOC 2 Type II
  • Resend — SOC 2 Type II

Full vendor list is on the privacy page.

Incident response

If we discover a security incident that affects your data, we’ll notify affected users within 72 hours of confirmation, by email. The notification will include what we know, what we’ve done, and what we recommend you do.

Reporting a vulnerability

If you think you’ve found a security issue, email hello@cerna.app with details. We’ll acknowledge within two business days. Please don’t test against live user data — we’ll provide a test account on request.

Compliance roadmap

We are working toward SOC 2 Type II as the team scales. Cerna is not currently certified. If your organization needs a particular compliance posture before adopting Cerna, write to hello@cerna.app and we’ll discuss what’s practical.