Security & Compliance

Last updated: 3/1/2026

At Impresser AI, protecting your data is not just a policy—it's engineered into every layer of our platform. We utilize enterprise-grade encryption, rigorous tenant isolation, and automated security verification to ensure your information remains secure, private, and compliant.

1. Compliance Frameworks

We align our security controls with major international standards to ensure we meet the rigorous requirements of modern enterprises.

SOC 2 Type II

Our controls are designed to meet SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality. This includes strict logical access controls (CC6.1), authorization verification (CC6.2), and comprehensive audit logging (CC6.6).

GDPR

We are fully compliant with the General Data Protection Regulation (GDPR). We enforce data minimization (Art. 5(1)(f)), records of processing (Art. 30), and security of processing (Art. 32) through our architecture.

HIPAA

For healthcare-related data, we implement safeguards aligning with HIPAA Security Rule, including access controls (§164.312(a)(1)), audit controls (§164.312(b)), and transmission security (§164.312(e)(1)).

2. Data Protection & Encryption

Encryption at Rest & in Transit

Your data is encrypted at every stage of its lifecycle:

In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. We employ HSTS to force secure connections.
At Rest: Data stored in our databases (PostgreSQL/Supabase) is encrypted using industry-standard AES-256 encryption.
Video Storage: Video assets are stored in private R2 buckets, encrypted at rest, and accessible only via time-limited, authenticated secure proxies.

Tenant Isolation

Architecture-Level Separation: We use Row Level Security (RLS) policies at the database layer to strictly enforce tenant isolation. Every database query includes a mandatory check against your validated session token, ensuring it is physically impossible for one tenant to access another's data even in the event of an application-layer bug.

3. Application Security

Authentication & Access Control

JWT-Based Auth: All API requests require a valid JSON Web Token (JWT) issued by our secure identity provider.
Role-Based Access Control (RBAC): Granular permissions ensure users only access features and data necessary for their role (e.g., Admin vs. User).
Secure Proxies: Direct access to storage buckets is blocked. All file access is routed through secure worker proxies that validate authentication and tenant ownership before streaming content.

Secure Development Lifecycle

Our engineering process puts security first:

Automated Secret Scanning: Our build pipeline includes automated scanners (e.g., for API keys, private keys, and environment variables) to prevent secret leakage.
Vulnerability Management: We regularly scan our dependencies and codebase for known vulnerabilities.
Peer Review: All code changes undergo mandatory peer review with a focus on security impact.

4. Infrastructure Security

Our platform runs on world-class infrastructure providers including Cloudflare and Supabase.

DDoS Protection: We leverage Cloudflare's global network to protect against Distributed Denial of Service (DDoS) attacks.
Web Application Firewall (WAF): Traffic is filtered to block common web exploits and malicious bots.
Global Edge Network: Security policies are enforced at the network edge, closer to the user and further from sensitive data.

5. Reporting Security Issues

We value the work of the security research community. If you identify a potential security vulnerability, please report it to us immediately.

Contact: security@impresser.co

We will investigate all valid reports and provide a timely response.