Surya / Security
Security

Security and compliance

EU hosting (Frankfurt), AES-256 encryption at rest, TLS 1.3 in transit, logical data isolation per workspace, full audit log.

Hosting and infrastructure

Application servers and Postgres run in Railway's EU region (Frankfurt). DNS and CDN via Cloudflare (EU edge). Database backups every 24 hours, point-in-time recovery up to 7 days.

Encryption

At rest: AES-256-GCM. Postgres TDE, encrypted blob storage. In transit: TLS 1.3 between every service and client. No plain HTTP.

Data isolation

Multi-tenant architecture with row-level security. Every table has an org_id column, every query mandatorily filters. Code reviews enforce this invariant. Penetration tests twice a year.

Audit log

Every action (login, data view, proposal approval, change execution in Google Ads) is recorded with timestamp, user identity and IP. Log is immutable, exportable, retained 24 months.

OAuth and credentials

OAuth tokens for Google Ads, Sklik, Meta are encrypted with AES-256 and a rotating master key. Credentials never leave the application layer — not in logs, not in error trackers.

AI providers

Anthropic Claude — zero retention enabled. Your data is not used for training. SOC 2 Type II + ISO 27001. OpenAI — embeddings only (vector search). We send short text snippets, never full reports or credentials.

Compliance certifications

  • GDPR — full compliance, DPO appointed, DPA available.
  • SOC 2 Type II — in process (Q3 2026).
  • ISO 27001 — in process (Q4 2026).

Report security incidents to security@suryatool.io (PGP key on request). Responsible disclosure rewarded.