Security at Incertive
We take the security of your data seriously. This page describes the technical and operational measures we have in place — honestly and without overclaiming.
1. Security Overview
Incertive is an early-stage SaaS product built with security-conscious engineering practices. We apply standard industry controls for authentication, encryption, and input validation. We do not hold certifications such as SOC 2 or ISO 27001 at this time, and we are not staffed with a dedicated security team. What we do have is a thoughtful engineering approach and a commitment to being transparent about what we protect and how.
Our stack consists of a Next.js frontend, an Express API server, and a PostgreSQL database hosted on cloud infrastructure. Security controls are applied at each layer. We will update this page as our security posture evolves.
2. Data Encryption
In Transit
All communication between your browser and our servers is encrypted using TLS 1.2 or higher. This applies to the web application, the API, and any webhooks we send or receive. We enforce HTTPS and do not serve content over plain HTTP.
At Rest
Our PostgreSQL database runs on cloud infrastructure that provides encryption at rest as a platform feature. This means stored data — including user records, plan content, and analysis results — is encrypted on disk by the cloud provider.
Passwords and Personal Access Token secrets are never stored in plain text. They are hashed using bcrypt before being written to the database.
3. Authentication & Access Control
Session Authentication
Incertive uses NextAuth.js to manage user sessions. Authentication state is maintained via JWT tokens. Passwords are hashed with bcrypt using a cost factor appropriate for current hardware. We do not store raw passwords at any point.
Personal Access Tokens (PAT)
Users can generate Personal Access Tokens for API access. The token secret is shown once at creation time and is not stored — only a bcrypt hash is retained. Tokens can be revoked at any time from account settings.
Role-Based Access Control
User accounts are assigned a role: USER, ADMIN, or SUPER_ADMIN. Access to resources and API endpoints is gated by role checks enforced on the server. Feature availability is also controlled by subscription tier.
4. Application Security
All API request bodies and query parameters are validated using Zod schemas. Requests that fail validation are rejected before reaching business logic.
API endpoints are rate-limited to protect against abuse and brute-force attacks. Limits vary by endpoint sensitivity.
Cross-Origin Resource Sharing is configured to allow requests only from permitted origins. API requests require a Bearer token for authenticated endpoints.
Authenticated API routes require a valid Bearer token in the Authorization header. Tokens are validated on every request.
5. Third-Party Data Processing
Incertive integrates with several third-party services. We are transparent about what data each service receives.
AI Analysis
When you request an AI analysis of a plan, the plan's text content is sent to a third-party AI provider's API for processing. The provider returns the analysis results, which we store in our database and display to you.
What this means: Your plan text leaves our servers and is processed by a third-party AI service. If you include sensitive or confidential information in your plans, it will be transmitted to the AI provider's API.
The AI provider's data handling is governed by their API usage policies. We do not send account credentials, payment information, or personal profile data to the AI provider — only the plan content you explicitly submit for analysis.
Payment Integration
All payment processing is handled by a PCI DSS Level 1 certified payment processor. Incertive never receives or stores your payment card details. This is the highest level of payment security certification available.
We store a customer ID and subscription status in our database to manage your account tier, but no raw card data.
Error Monitoring
We use an error monitoring service to capture application errors and performance data. When an error occurs, the service receives a stack trace, the URL at the time of the error, and contextual metadata such as your user ID (to help us correlate errors with accounts).
We configure error monitoring to avoid capturing sensitive form values or request bodies. Error reports are used solely for debugging and improving the product.
6. Data Storage & Retention
User data — including account information, plans, and analysis results — is stored in a PostgreSQL database hosted on cloud infrastructure with encryption at rest.
We do not sell your data to third parties. Your plan content is your intellectual property and is only used to provide the service to you.
If you delete your account, your data is removed from our active database. We may retain anonymized usage statistics or backups for a limited period as required for operational continuity, after which your data is purged.
You can request a copy of your data or deletion of your account at any time by contacting us at [email protected].
7. Privacy Compliance
We are aware of and take steps to respect the rights of users under GDPR (European Union) and CCPA (California). We are not formally certified or audited against these frameworks, but our practices are designed to align with their core principles.
Data Subject Rights
- Access: You can request a copy of the personal data we hold about you.
- Deletion: You can request deletion of your account and associated data.
- Correction: You can update your profile information directly in the application.
- Portability: You can request an export of your plan data.
- Opt-out: We do not sell personal data. There is no sale to opt out of.
To exercise any of these rights, email [email protected] with your request. We will respond within a reasonable timeframe.
8. Incident Response
In the event of a security incident affecting customer data, we will:
- Investigate and contain the incident as quickly as possible.
- Notify affected users in a timely manner, with details about what happened and what data was involved.
- Notify relevant authorities where required by applicable law (e.g., GDPR's 72-hour supervisory authority notification requirement).
- Document the incident, remediation steps, and lessons learned to prevent recurrence.
We use error monitoring tools for error and anomaly detection. We monitor application logs and cloud provider alerts for signs of unusual activity. We do not operate a 24/7 staffed security operations center, but we respond to critical alerts as quickly as possible.
9. Security Contact
To report a security vulnerability, ask a security question, or make a data subject request, please email:
We appreciate responsible disclosure. If you discover a potential security issue, please contact us privately before making it public. We will acknowledge receipt of your report promptly and work to address confirmed issues as quickly as possible.
We do not currently operate a formal bug bounty program, but we take all reports seriously and are grateful to researchers who help us improve security.