Skip to main content

Trust & Infrastructure

How We Protect Your Data

Valentino AI runs on Supabase (Postgres) and Vercel. Here is exactly how we protect your data — no buzzwords, just facts.

Encryption at Rest

All data stored in Supabase Postgres is encrypted with AES-256 at the disk layer, managed by AWS. Object storage (uploads, generated images) is encrypted the same way.

Encryption in Transit

All connections use TLS 1.3. Traffic between your browser and our servers, and between our servers and third-party APIs (Gemini, OpenRouter, Perplexity, Apify), is encrypted.

Data Isolation

Postgres Row-Level Security policies enforce per-user data isolation. Every row carries an owner; users can only read and write rows they own. Service-role access is restricted to server-side code paths.

Zero Data Training

We never use your business data, generated reports, or uploaded images to train AI models. Your proprietary information stays yours.

Server-Side Secrets

API keys for Gemini, OpenRouter, Apify, Apollo, and other services are stored server-side only. They are never exposed to the client browser.

Authentication

Supabase Auth handles user auth with email + password (with email verification), Google OAuth, and password reset flows. Passwords are bcrypt-hashed; we never store plaintext.

Infrastructure Providers

Our security posture is built on the compliance certifications of our infrastructure providers:

Supabase (Postgres + Auth + Storage)

SOC 2 Type II, HIPAA-eligible · runs on AWS (SOC 1/2/3, ISO 27001, FedRAMP)

Vercel

SOC 2 Type II, ISO 27001, GDPR

Cloudflare (DNS/CDN)

SOC 2 Type II, ISO 27001, PCI DSS

Compliance & Privacy Posture

Where we stand today. We list status honestly — certifications-in-progress are flagged, not implied.

In progress

SOC 2 Type II

We inherit SOC 2 from Google Cloud and Vercel today. A direct Valentino AI audit is on the roadmap; reach out if you need our security questionnaire for procurement.

Active

GDPR & CCPA

Users in the EU and California can request data export or deletion from privacy@valentinoai.com. We do not sell personal data, and we honor opt-outs from training (see “Zero Data Training” above).

Active

Data Processing Agreement

DPA available on request for business customers. Email hello@valentinoai.com.

Future

HIPAA

Not currently in scope. Don’t upload PHI to Valentino AI today.

Last reviewed: May 2026

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly to security@valentinoai.com (or hello@valentinoai.com). We take all reports seriously and will respond within 48 hours.