GENIMATE

SECURITY

Security is a core part of how GeniMate is built, not an afterthought. This page describes our practices for keeping your data and the platform secure.

Encryption in Transit

All data between your browser and our servers is encrypted with TLS 1.2+. We enforce HSTS with a 2-year max-age and preloading.

Encryption at Rest

Databases and file storage (Supabase/PostgreSQL) use AES-256 encryption at rest. Passwords are hashed with bcrypt (cost factor 12).

Authentication Security

JSON Web Tokens are signed with HS256 and short-lived. Progressive lockout blocks brute-force attempts after 5 failed logins. Email verification is required before first sign-in.

Access Controls

All API endpoints require authentication. Row-level checks verify resource ownership on every request. Render credits are enforced with atomic database operations to prevent race conditions.

Rate Limiting & DDoS Protection

Global rate limits (120 req/min per IP), per-route limits for auth (10/min) and AI (30/hr), progressive slowdown on login, and HTTP Parameter Pollution guards are applied.

Input Validation & SSRF Prevention

All user inputs are sanitised and length-capped. URLs submitted for brand scanning are validated against a blocklist of private IPv4/IPv6 ranges to prevent SSRF attacks.

Infrastructure

GeniMate runs on Railway (application servers) and Supabase (PostgreSQL + file storage). Both providers operate in US-based data centres with SOC 2 compliance. Redis caching is provided by Upstash with TLS-only connections.

Third-Party Integrations

Payment card data is never processed or stored by GeniMate. All payment flows go directly to Stripe (PCI DSS Level 1 certified). AI generation calls are made to Anthropic and OpenAI APIs over encrypted connections; prompts are not stored by those providers beyond their standard retention policies.

Responsible Disclosure

If you discover a security vulnerability in GeniMate, please report it to us at security@genimate.com. We ask that you give us reasonable time to address the issue before public disclosure. We do not pursue legal action against good-faith researchers who follow responsible disclosure guidelines.

We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days.

For security questions or to report a vulnerability: security@genimate.com