Security & Compliance

How we protect your company's operational knowledge and sensitive data

Quick Summary

Stepyo uses AES-256 encryption, is GDPR/LGPD-compliant, and uses OAuth 2.0 for integrations. Data is isolated per workspace with Row Level Security on Supabase.

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • GDPR & LGPD-compliant — data stored in Brazil (Supabase São Paulo)
  • OAuth 2.0 for Slack/HubSpot — zero stored passwords
  • Row Level Security (RLS) — full workspace isolation
  • Rate limiting and authentication on 100% of API endpoints
  • Security headers A+ (HSTS, CSP, Referrer-Policy)

Encryption

  • TLS 1.3 for data in transit
  • AES-256 for data at rest
  • SSL/TLS certificates auto-renewed

Compliance

  • GDPR & LGPD-compliant — data in Brazil
  • Supabase infrastructure (São Paulo)
  • SOC 2 Type II (in progress)

Secure Authentication

  • OAuth 2.0 for Slack/HubSpot
  • Zero stored passwords
  • Tokens revocable at any time

Data Isolation

  • Row Level Security (RLS) at the database
  • Workspaces completely isolated
  • Granular permissions per user

Rate Limiting

  • Abuse protection on all AI endpoints
  • Per-user limits via Redis
  • Mandatory authentication on all APIs

Secure CI/CD

  • Automated secret scanning on commits
  • GitHub Actions pinned by SHA
  • Dependabot for vulnerability alerts

Security Headers

  • HSTS with preload enabled
  • CSP, X-Content-Type-Options, Referrer-Policy
  • Restrictive Permissions-Policy

Secrets Management

  • Doppler for centralized secrets
  • Zero secrets in source code
  • Periodic token rotation

Who Has Access to Your Data?

You are in full control

Your workspace data is accessible ONLY by authorized members of your company. Stepyo uses Row Level Security (RLS) on Supabase to guarantee full isolation between workspaces.

Permission levels

  • OWNERFull access + member management
  • ADMINCreate/edit processes + settings
  • MEMBERView and execute processes

Stepyo Team

Our team does NOT have access to your operational data. Only anonymized technical logs for debugging (no sensitive content). Any support access requires explicit authorization.

Secure Integrations

OAuth 2.0 (Zero Passwords)

All integrations (Slack, HubSpot) use OAuth 2.0 — the industry standard for secure authentication.

  • You authorize via the official interface (Slack/HubSpot)
  • Stepyo NEVER sees your password
  • Tokens can be revoked at any time
  • Granular permissions (you choose what to share)

What we capture from each integration

SLACK

Only threads in authorized channels that contain operational knowledge (troubleshooting, workarounds). Private messages are NEVER accessed.

HUBSPOT

CS/Sales workflows you execute while the extension is active. Customer data is not stored (only visual screenshots of the process).

Infrastructure

Where is your data stored?

We use Supabase (São Paulo, Brazil region) as our backend:

  • Data stored in Brazil (LGPD-compliant)
  • PostgreSQL with Row Level Security (RLS)
  • Automatic daily backups
  • Redundancy and high availability (99.9% uptime)

Monitoring & Logs

We maintain anonymized technical logs for debugging and security. Logs are retained for 30 days and contain no sensitive customer data.

Report a Security Vulnerability

If you have identified a security vulnerability, please contact us immediately:

[email protected](response within 24h)