Security

Security is not an afterthought at Closio AI — it is built into every layer of the product. Your proposals contain sensitive business information. Your clients' signatures carry legal weight. We take both seriously.

• Hosted on Vercel — ISO 27001 certified infrastructure — automatic HTTPS on all endpoints
• Database hosted on Supabase — SOC 2 Type II certified — PostgreSQL with encrypted storage
• Self-hosted Docuseal e-signature server running on dedicated Ubuntu VPS — Docker isolated
• All DNS managed through Cloudflare — DDoS protection, bot filtering, and WAF enabled
• No single point of failure — Vercel and Supabase both operate with regional redundancy

• All data in transit encrypted with TLS 1.3 — enforced on every endpoint
• All data at rest encrypted using AES-256 — Supabase managed encryption
• Signature images stored in encrypted Supabase Storage buckets
• Signed PDF documents stored in private encrypted buckets — accessible only via signed URLs
• Environment variables and API keys stored as encrypted secrets in Vercel

Authentication is handled by Clerk.dev — a purpose-built authentication platform used by thousands of production applications.

• Passwords hashed with bcrypt — we never store plaintext passwords
• Google OAuth available as a passwordless login option
• Email verification required before account activation
• JWT-based sessions with short expiry — automatically refreshed
• Two-factor authentication (2FA) available on all accounts

Row Level Security (RLS) is enabled on every table in our Supabase database. This means database queries at the infrastructure level enforce that users can only access their own data.

• Every API route verifies the Clerk JWT token before processing any request
• Service role key is used only in specific server-side API routes — never exposed to the client
• Team access is explicitly scoped — team members can only access proposals within their workspace

E-signatures are handled by our self-hosted Docuseal instance at sign.closioai.com.

• Every signature submission records a full audit trail — timestamp, IP address, user agent
• Audit certificate generated for every completed signature — PDF with cryptographic verification
• Signature data stored on our own server — not a third-party cloud
• Proposal links are token-based — tokens are randomly generated 12-character strings
• Expired proposals cannot be signed — expiry enforced at the API level

• Cloudflare Turnstile protects all public-facing forms including the beta signup form
• Cloudflare WAF active on all traffic — blocks known attack patterns
• Rate limiting applied to AI generation endpoints — prevents abuse
• Webhook endpoints verify signature authenticity before processing

If you believe you have found a security vulnerability in Closio AI, we ask that you report it responsibly.

• Email: security@closioai.com
• Include a description of the vulnerability and steps to reproduce
• Do not access or modify data that does not belong to you
• Do not disclose the vulnerability publicly until we have had time to respond

Note: We appreciate responsible security researchers and will acknowledge your contribution.