Security overview

Last reviewed: 2026-05-17 · Owner: security@repulabs.com

Repulabs handles sensitive customer-of-customer data: review content, reviewer names, phone numbers, email addresses, OAuth tokens, and AI training samples in your brand voice. This page is the short, honest version of how we protect it. The long version lives in our SOC 2 Type II report, available under NDA from security@repulabs.com.

1. Encryption

• In transit — TLS 1.3 everywhere. HSTS preloaded with 1-year max-age and subdomain inclusion. No mixed-content fallback paths.
• At rest — Postgres rows are stored on Neon, which uses transparent disk encryption. Sensitive columns (OAuth tokens, refresh tokens, voice clone samples) are encrypted a second time using AES-256-GCM with per-row IVs and a per-org encryption context. Keys never log; rotation is automated quarterly.
• Activation codes — Hardware activation codes are SHA-256 hashed at insert. The plaintext exists only in the admin batch ZIP and the customer’s memory during redemption — there is no path to recover a code from the database.

2. Access control

• Tenant isolation — every read and write runs through withTenant(orgId, ...) which sets a Postgres session variable that row-level-security policies enforce. A bug that forgets the wrapper still cannot read another tenant’s rows because RLS rejects the query.
• Admin separation — admin sessions live on a separate cookie scoped toadmin.repulabs.com with SameSite=Strict; HttpOnly; Secure. Admin actions are audit-logged with actor ID and origin-host check on every endpoint.
• Employee access — break-glass production access is logged to an append-only audit table and requires two-person review. We do not have raw database consoles in production.

3. Authentication

• Customer accounts use magic-link auth (hashed, 15-minute expiry) or Google / Microsoft SSO via Auth.js v5.
• Admin accounts use email + Argon2id password. WebAuthn / TOTP enrollment is on the day-15 roadmap.
• API access uses OAuth 2.0 Authorization Code + PKCE for third-party apps, or per-org bearer tokens for first-party scripts.

4. Network

• Application servers sit behind Nginx with TLS termination and strict forwarded-host validation. CSRF defense via SameSite cookies + Origin-header same-host check on state-changing endpoints.
• Database connections are TLS-only and IP-allowlisted to our VPS + a single bastion host.

5. Incident response

• 24/7 on-call engineering. Service-impacting incidents get a public status update at repulabs.com/status within 15 minutes.
• Customer-data incidents are disclosed to affected accounts within 72 hours per GDPR Art. 33, with a post-mortem published within 14 days.
• Responsible-disclosure program at security.txt with a 90-day disclosure window. We do not pursue good-faith researchers.

6. Compliance

• SOC 2 Type II — annual audit by an independent CPA firm. Report available under NDA.
• GDPR + Australian Privacy Act — full data subject rights pipeline (access, deletion, portability). DPA available at /legal/dpa.
• Sub-processors — listed at /legal/subprocessors with 30-day notice for additions.

7. Vulnerability disclosure

Found something? Email security@repulabs.com. PGP key fingerprint: 4F8B 7C12 9E4D 1A56 8B33 7E92 0F1D 6A8C C5E7 D421. We acknowledge within 24 hours and aim to remediate critical vulnerabilities within 7 business days.