Trust & Security

See how SupaBook protects your business data — workspace isolation, encryption at rest and in transit, AI data commitments, and our compliance posture.

How SupaBook protects your business data

SupaBook is built on a security-first foundation. Every workspace is isolated, every request is authenticated, and every sensitive action is logged. We treat your client data like our own.

Workspace isolation

Each studio (workspace) operates inside its own logical tenant. Database-level Row Level Security (RLS) policies enforce that users in one studio can never read or write data in another, even if they discover internal IDs. There is no shared "all customers" table that requires application-side filtering.

Encryption

  • All traffic uses TLS 1.2 or higher
  • Data at rest is encrypted with AES-256
  • Database backups are encrypted and stored across regions

Payment security

SupaBook partners with Stripe for secure payment processing. Stripe collects and tokenizes sensitive card and ACH details, while SupaBook stores the business records needed for invoices, receipts, project history, and reconciliation.

  • Stripe handles full card numbers, CVVs, and full bank account details
  • SupaBook stores payment status, amounts, receipt details, and related invoice records
  • Processing rates, pass-fee settings, instant payouts, and surcharge guidance are covered in the payment fees guide

Authentication and access

  • Strong password requirements with breach detection
  • Optional multi-factor authentication for owners and admins
  • Granular role-based permissions for team members
  • Session tokens rotate; long-lived API keys are scoped to studio
  • Service role keys are never exposed to browsers

AI data commitments

SupaBook's AI features (call transcription, message drafting, voice agents) do not use your client data to train third-party models. Provider relationships are configured for zero retention where supported. See the AI Features Terms.

Compliance and legal

  • GDPR-aligned data processing — see the Data Processing Agreement
  • TCPA-compliant SMS and voice with opt-in tracking and audit log — see Communications Policy
  • Standard sub-processor list available on request

Reporting a vulnerability

Responsible disclosure is welcome. Report issues to security@supabook.ai. We acknowledge within one business day.

Related: Security, Privacy Policy, Terms of Service.

Canonical URL: https://supabook.ai/trust/