Start Free Trial

Security

Last updated: March 1, 2026

Security is foundational to Bespoke Analytics — not a feature we added after the fact. Your business data is sensitive, and we treat it that way. This page describes the security practices we use to protect your information.

Have a security concern? Email us immediately at sterlingconsultingservices@hotmail.com. We take all reports seriously and respond within 24 hours.

Infrastructure Security

Hosting & Cloud

Bespoke Analytics is hosted on Vercel (application layer) and Railway (database), two infrastructure providers with enterprise-grade physical and network security. All servers are located in SOC 2 Type II certified data centers.

Network Security

  • All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • HTTP Strict Transport Security (HSTS) is enforced — we never serve content over insecure connections
  • Database connections are restricted to private VPC networks; the database is never exposed to the public internet
  • All external API calls use HTTPS

Data Encryption

Encryption at Rest

All data stored in our database is encrypted at rest using AES-256, the same standard used by banks and government agencies. Database backups are also encrypted using the same standard.

Encryption in Transit

All data moving between components of our system — including database queries, API calls, and file transfers — is encrypted using TLS. We do not transmit sensitive data in plain text anywhere in our stack.

Sensitive Credentials

Database connection strings and API keys you store are encrypted before being written to our database. Passwords are never stored in plain text — we use Firebase Authentication, which handles password hashing using industry-standard bcrypt.

Access Controls

  • Workspace isolation — all data is scoped to workspaces; users can only access data in workspaces they belong to
  • Authentication — powered by Firebase Authentication with support for Google SSO and email/password with secure token management
  • Session management — sessions expire and are invalidated on logout; tokens are rotated regularly
  • Principle of least privilege — internal systems and team members have access only to what is strictly necessary
  • Multi-factor authentication — available for all accounts (strongly recommended)

Application Security

  • Input validation — all user inputs are validated and sanitized using Zod schema validation on both client and server
  • SQL injection prevention — we use Prisma ORM with parameterized queries; direct SQL string concatenation is never used
  • CSRF protection — all state-changing API requests are protected against cross-site request forgery
  • Rate limiting — API endpoints are rate-limited to prevent abuse
  • Dependency scanning — we regularly audit our npm dependencies for known vulnerabilities
  • Content Security Policy — strict CSP headers are applied to prevent XSS attacks

Your Data — What We Access and When

When you connect a data source (e.g., Google Sheets, CSV, database), we access your data only when you submit a query. Your data is sent to our AI provider (Anthropic) to generate an answer, then immediately discarded — we do not store the raw rows of your business data on our servers.

We store the questions you ask and the answers generated, so you can revisit them. We do not store your raw business data.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please email sterlingconsultingservices@hotmail.com with details. We will acknowledge your report within 24 hours and work to address verified issues promptly.

Please do not publicly disclose any vulnerability until we have had a reasonable opportunity to investigate and address it. We appreciate responsible disclosure and will acknowledge security researchers who help us improve our platform.

Incident Response

In the event of a security incident that affects your data, we will:

  • Notify affected users within 72 hours of becoming aware of the incident
  • Provide a clear description of what happened, what data was affected, and what we're doing about it
  • Work transparently throughout the investigation
  • Report to relevant regulatory authorities as required by applicable law

Compliance Roadmap

  • SOC 2 Type II — in progress (target: Q4 2026)
  • GDPR — compliant. See our GDPR page for details.
  • CCPA — compliant for California residents

Questions

For security questions or to report a vulnerability: sterlingconsultingservices@hotmail.com