Technical controls

All endpoints enforce TLS 1.3. HSTS is enabled with a 1-year max-age. No plain-text endpoints.

Neon manages transparent AES-256 encryption at the storage layer. Backups inherit the same encryption. BYOK on roadmap Q3 2026.

Email + password (bcrypt) and Google OAuth. Sessions are JWT-signed and persisted in Neon (same EU region). TOTP 2FA available for all users.

All write actions (create, update, delete, export) are logged append-only with 12-month retention. Workspace admins can export logs from Settings → Trust.

All public endpoints and auth actions are rate-limited per IP and per workspace. AI endpoints have separate limits per model and per minute. Limits respond with 429 and a Retry-After header.