Trust

Security

How Citensity protects your data and runs safely. This is an honest overview of our current practices for an early-stage product — not a claim of formal certification.

Last updated: July 1, 2026

Infrastructure

Citensity runs on established cloud providers: the web app on Vercel, the API on Render, and data in Supabase (Postgres) with row-level security. Traffic is served over HTTPS, and secrets (API keys, database credentials) are stored as environment variables in each provider — never committed to source control.

Safe crawling

When Citensity reads a website you provide (to build Brand Memory or analyze a competitor), requests go through an SSRF-guarded fetch that blocks internal/private addresses and cloud metadata endpoints, follows redirects only to safe hosts, and caps response size and time. We read public pages only — we never access your CMS or publish anything without your approval.

Access & authentication

Workspace access is authenticated, and the product is built for per-workspace tenant isolation. Server-side secrets are never exposed to the browser. As we move from open beta to production, we enforce authentication on every non-public route.

Your data

  • We use your data to operate the product for you — grounding content, capturing leads, and reporting results.
  • We do not sell your data.
  • Generated content is grounded in your Brand Memory; we don't fabricate claims on your behalf.
  • Third-party processors we rely on are listed in our privacy policy.

Responsible disclosure

Found a vulnerability? Please report it privately via our contact formbefore disclosing publicly, and we'll work with you to fix it quickly. As we scale, we'll formalize our security program (including third-party review); we'll describe it here honestly as it matures rather than claim certifications we don't yet hold.