Security
How Citensity protects your data and runs safely. This is an honest overview of our current practices for an early-stage product — not a claim of formal certification.
Last updated: July 1, 2026
Infrastructure
Citensity runs on established cloud providers: the web app on Vercel, the API on Render, and data in Supabase (Postgres) with row-level security. Traffic is served over HTTPS, and secrets (API keys, database credentials) are stored as environment variables in each provider — never committed to source control.
Safe crawling
When Citensity reads a website you provide (to build Brand Memory or analyze a competitor), requests go through an SSRF-guarded fetch that blocks internal/private addresses and cloud metadata endpoints, follows redirects only to safe hosts, and caps response size and time. We read public pages only — we never access your CMS or publish anything without your approval.
Access & authentication
Workspace access is authenticated, and the product is built for per-workspace tenant isolation. Server-side secrets are never exposed to the browser. As we move from open beta to production, we enforce authentication on every non-public route.
Your data
- We use your data to operate the product for you — grounding content, capturing leads, and reporting results.
- We do not sell your data.
- Generated content is grounded in your Brand Memory; we don't fabricate claims on your behalf.
- Third-party processors we rely on are listed in our privacy policy.
Responsible disclosure
Found a vulnerability? Please report it privately via our contact formbefore disclosing publicly, and we'll work with you to fix it quickly. As we scale, we'll formalize our security program (including third-party review); we'll describe it here honestly as it matures rather than claim certifications we don't yet hold.