Security

Last updated: March 2026

At Outpacer AI ("Outpacer," "we," "us," or "our"), protecting your data is fundamental to everything we build. This page describes the technical and organizational security measures we implement to safeguard your information. We believe transparency about our security practices builds trust and helps you make informed decisions about your data.

Outpacer AI, Inc. is incorporated in the State of Delaware, United States. Our security program is designed to meet or exceed industry standards and comply with applicable data protection regulations, including GDPR and CCPA.

1. Infrastructure

Our infrastructure is built on industry-leading cloud platforms, each selected for their security certifications, reliability, and compliance posture. We do not operate our own data centers; instead, we leverage the security investments of established cloud providers.

• Vercel — Frontend hosting and edge network. Vercel is SOC 2 Type II compliant and provides automatic DDoS protection, global CDN distribution, and isolated build environments for each deployment.
• Railway — Worker processes and background job execution. Railway provides isolated containers for each service, encrypted environment variables, and private networking between services.
• Supabase — Primary database (PostgreSQL) and authentication services. Supabase is SOC 2 Type II compliant and provides managed database infrastructure with built-in security features including encryption, access controls, and automated backups.

2. Data Encryption

We employ strong encryption at every layer to protect your data both in transit and at rest.

2.1 In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest version of the Transport Layer Security protocol. We enforce HTTPS on all endpoints and do not support deprecated protocols such as TLS 1.0 or 1.1. API communications between our internal services also use TLS encryption.

2.2 At Rest

All database data is encrypted at rest using AES-256 encryption, the industry gold standard for symmetric encryption. This includes your account information, generated content, keyword research data, and analytics. CMS credentials (such as WordPress or Webflow API keys) are encrypted at rest using separate application-level encryption keys, ensuring that even in the unlikely event of a database compromise, your CMS credentials remain protected.

3. Authentication

We implement multiple layers of authentication security to protect your account:

• Password hashing: All passwords are hashed using bcrypt with a high work factor. We never store plaintext passwords. Bcrypt's adaptive hashing makes brute-force attacks computationally infeasible.
• OAuth 2.0 with Google: Users can authenticate via Google using the OAuth 2.0 protocol, eliminating the need to create and manage a separate password for Outpacer.
• PKCE for OAuth flows: We use Proof Key for Code Exchange (PKCE) for all OAuth flows, which prevents authorization code interception attacks, even on public clients.
• Secure session management: Sessions are managed by Supabase Auth with secure, HTTP-only cookies that are not accessible to client-side JavaScript. Sessions have defined expiration periods and are automatically invalidated on logout.

4. Access Controls

We implement strict access controls at both the application and database levels to ensure data isolation and enforce the principle of least privilege.

4.1 Row-Level Security (RLS)

Our PostgreSQL database uses row-level security (RLS) policies to ensure that each customer can only access their own data. RLS is enforced at the database engine level, meaning that even if an application-level bug were to occur, the database itself would prevent unauthorized data access. Every query is automatically scoped to the authenticated user's organization.

4.2 Service Role Isolation

The Supabase service role key, which has elevated database privileges, is used exclusively by our server-side worker processes. It is never exposed to the client-side application. All client-side requests use the anon key with RLS enforcement. We follow the principle of least privilege: each component of our system is granted only the minimum permissions necessary to perform its function.

5. Application Security

Our application is built with security best practices embedded throughout the development lifecycle:

• Input validation with Zod: All user inputs and API payloads are validated using Zod schemas on both the client and server side. This prevents injection attacks, type confusion, and malformed data from reaching our business logic or database.
• CSRF protection: We implement Cross-Site Request Forgery (CSRF) protection using token-based validation to ensure that requests originate from our application.
• Secure headers: We set strict HTTP security headers including Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, and Referrer-Policy to protect against common web vulnerabilities.
• Content Security Policy: We implement a Content Security Policy (CSP) that restricts the sources from which scripts, styles, and other resources can be loaded, mitigating the risk of cross-site scripting (XSS) attacks. Inline scripts are avoided where possible.

6. Third-Party Vendor Security

We carefully evaluate the security posture of all third-party vendors before integration and conduct ongoing reviews to ensure continued compliance. All critical vendors maintain SOC 2 compliance:

Data shared with AI providers (Anthropic, OpenAI) is limited to the content generation context and is not used to train their models when using their API endpoints. We have data processing agreements in place with all vendors.

7. Vulnerability Management

We maintain a proactive approach to identifying and remediating vulnerabilities in our software and infrastructure:

• Dependency scanning: We use automated tools to continuously scan our dependency tree for known vulnerabilities. Critical and high-severity vulnerabilities are prioritized for immediate remediation.
• Regular updates: Dependencies and runtime environments are updated on a regular cadence. Security patches are applied as soon as possible after release.
• No known vulnerabilities policy: We maintain a zero-tolerance policy for known critical vulnerabilities in production. Our CI/CD pipeline includes security checks that block deploys with known critical vulnerabilities.

8. Incident Response

We maintain a defined incident response process to handle security events swiftly and transparently:

• Defined process: Our incident response plan includes identification, containment, eradication, recovery, and post-incident review phases. All team members are trained on these procedures.
• 72-hour notification: In compliance with GDPR Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. We will also notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
• Root cause analysis: Every security incident, regardless of severity, undergoes a thorough root cause analysis. Findings are documented and used to improve our security posture and prevent recurrence.

9. Data Isolation

Outpacer operates a multi-tenant architecture where all customers share the same infrastructure but their data is strictly isolated. PostgreSQL row-level security (RLS) policies ensure that each organization's data is completely separated at the database level. There is no shared data between organizations — one customer can never access, view, or modify another customer's data, keywords, content, analytics, or account information. RLS policies are enforced on every table that contains customer data.

10. Backups

Data durability is critical for our customers' trust. Our backup strategy includes:

• Automated database backups: Supabase provides automated daily database backups that are stored in geographically distributed locations.
• Point-in-time recovery: Our database supports point-in-time recovery (PITR), allowing us to restore data to any specific moment within the retention window. This capability is critical for recovering from data corruption or accidental deletion.
• Backup encryption: All backups are encrypted at rest using the same AES-256 encryption standard applied to our primary database storage.

11. Responsible Disclosure Program

We welcome and appreciate the work of security researchers who help us keep the Outpacer platform and our users safe. If you discover a security vulnerability, we encourage you to report it to us responsibly.

When reporting a vulnerability, please include a detailed description of the issue, steps to reproduce it, the potential impact, and any suggested remediation. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.

12. Compliance Roadmap

We are committed to continuously improving our security and compliance posture. Our current compliance status and planned certifications:

13. Contact

If you have questions about our security practices or would like to request additional information, please contact us:

• Security inquiries: security@outpacer.ai
• General legal inquiries: legal@outpacer.ai

Outpacer AI, Inc. is incorporated in the State of Delaware, United States. We are committed to maintaining the highest standards of security and transparency as we grow and serve our customers worldwide.