Security at Coplain

All traffic is routed through Cloudflare and encrypted using TLS 1.3. We enforce HTTPS on every endpoint — no plain-text connections are permitted.

Your account data, profile, and usage records are stored in Supabase (PostgreSQL on AWS), which encrypts data at rest using AES-256.

Documents you upload for processing are not stored on our servers beyond the active session. Files are processed in memory and discarded immediately after your result is returned.

All passwords are hashed using bcrypt via Supabase Auth. We enforce a minimum password strength at signup and never store credentials in plain text.

Dashboard sessions automatically expire after 1 hour of inactivity. Failed login attempts are rate-limited and temporarily locked after 5 consecutive failures.

All AI processing endpoints are rate-limited per IP and per user to prevent abuse. Unauthenticated requests to AI routes are rejected at the edge.

Authentication is handled by Supabase Auth with row-level security (RLS) enforced on every database table. Users can only query and modify their own data — access is enforced at the database layer, not just the application layer.

Our infrastructure relies on Stripe (PCI DSS Level 1 certified), Supabase (SOC 2 Type II), Cloudflare (ISO 27001), and Anthropic — each maintaining their own rigorous security programs. Document content sent to Anthropic's API is subject to their security controls and is not used to train models by default.

In the event of a security breach affecting your data, we will notify affected users within 72 hours of discovering the incident, as required by applicable law. Notifications include the nature of the breach, data affected, and remediation steps taken.

SOC 2 Type II certification is planned for 2027. Enterprise customers with immediate compliance requirements can contact us to discuss our current security posture, available documentation, and roadmap.