Security at Guideframe
Your data is protected by enterprise-grade security. All our infrastructure providers are SOC 2 Type II certified.
Infrastructure security
WorkOS
Enterprise SSO & Auth
Supabase
Database
Vercel
Hosting & CDN
Sentry
Error Tracking
Stripe
Payments
OpenRouter
AI Gateway (Anthropic, OpenAI)
Braintrust
AI Observability
Exa.ai
AI Search
Nango
OAuth Integrations
PostHog
Product Analytics
Data protection
Encryption in transit
All connections use TLS 1.2+ encryption. We enforce HTTPS on all endpoints.
Encryption at rest
All data is encrypted at rest using AES-256 encryption via our database provider.
Row Level Security
Database access is controlled by Row Level Security policies. Users can only access their own data.
No data selling
We never sell your personal information. Your data is used only to provide the service.
Data retention
Data is retained for the life of your account. After deletion, data is permanently removed within 30 days.
Backups
Data is automatically backed up with point-in-time recovery through Supabase. Backups are encrypted and stored separately.
Application security
Authentication: Secure session management via WorkOS with enterprise SSO support. Email/password and social login available.
Input validation: All user input is validated using Zod schemas on both client and server.
Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, and Content Security Policy headers on all responses.
Dependency scanning: Automated vulnerability scanning with security updates applied promptly.
Vulnerability disclosure: If you discover a security issue, report it to security@guideframe.com. We investigate all reports and respond within 48 hours.
AI and your data
When you use Guideframe, we send your goals and any documents you upload to AI providers to generate personalized content. We also send retrieved resource context (titles, descriptions, transcripts) to provide accurate recommendations.
For Team accounts with connected integrations, documents from those services (e.g., Google Drive, Notion) may also be sent to AI providers when used as context for content generation.
We do not send personally identifiable information (name, email) to AI providers. We only send the content you explicitly provide or authorize.
We do not use your data to train AI models. Your learning goals and progress are used only to provide you with the service.
Your rights
You have control over your data:
View and update your profile information anytime
Delete your content anytime
Request account deletion or a full data export via email
For data requests, account deletion, or security concerns, contact us at security@guideframe.com.
Incident response
In the event of a security incident affecting your data, we notify affected users within 72 hours. We maintain documented incident response procedures and conduct post-incident reviews to prevent recurrence.
Compliance
We follow SOC 2 security controls and best practices. All our infrastructure vendors are SOC 2 Type II certified. As we grow, we plan to pursue formal certification.
For users in the European Union, we respect your rights under GDPR including data access, rectification, portability, and erasure. We minimize data collection, provide transparency about processing, and honor deletion requests. All infrastructure vendors support EU data residency.
Need more details for your security review? We're happy to answer questionnaires and provide documentation. Contact security@guideframe.com.
Related policies