Developum AI Inc. · Security
This page describes the technical controls that protect the data our customers trust us with. It is written to be legible to engineers, auditors, and enterprise buyers doing security diligence.
The Non-Negotiables
- Screenplays never leave the platform for AI processing. The EVOLUM engine is a local, deterministic Python + JSON pipeline. No customer creative content is transmitted to third-party LLM providers (OpenAI, Anthropic, Google, etc.).
- All data is encrypted in transit. TLS 1.2+ enforced end-to-end via Caddy reverse proxy with automatic certificate rotation.
- All data is encrypted at rest. AES-256 via Supabase-managed Postgres storage. Physical disks are Hetzner-managed with hardware-level encryption.
- Payment card data never touches our servers. All payment collection and processing is handled by Stripe under their PCI-DSS Level 1 attestation. We store only Stripe customer IDs and subscription references.
Data Architecture
Application Data
Supabase (Postgres). Row-Level Security enforced on every table containing customer content. RLS policies audited weekly via automated script. Backups: daily automated SQL dumps with verification.
Authentication
Supabase Auth. JWT-based session tokens with 1-hour expiry and rotation. Passwords hashed with bcrypt. Optional MFA available.
File Storage
Supabase Storage. Private buckets with signed URLs (1-hour default expiry, auto-refreshed). No public direct-access URLs for customer content.
Infrastructure
Hetzner Cloud. EU/US data centers, physical security handled by Hetzner. Server-level firewalls, SSH-key-only access, no password authentication.
Payments
Stripe. All payment methods, subscription state, and card details stored by Stripe. We store only opaque customer + subscription IDs and event webhooks.
Email Notifications
Transactional email sent via SMTP through Supabase Auth. Content is limited to authentication flows (verify email, reset password) — no marketing.
Access Controls
- Principle of least privilege. Every user role has the minimum permissions needed for their function.
- Row-Level Security enforced at the database layer — even if application code has a bug, users cannot read or write another user's rows.
- Admin access requires SSH keys with passphrase. No password login is enabled on production servers.
- Session tokens rotate every hour. Compromised tokens have a bounded blast radius.
- Access reviews conducted per the Access Control Policy documented in our SOC-2 package.
Monitoring & Incident Response
- Application-level errors captured and dispatched via our incident alerter.
- Systemd service health monitored on all production processes with automatic restart on failure.
- Weekly RLS audit script confirms row-level security policies remain intact after schema changes.
- Daily backup verification script confirms recoverable database dumps exist.
- Incident response follows a documented playbook (containment → eradication → notification → post-mortem). Customer notification within 72 hours of confirmed data-affecting incident.
What We Don't Do
- We do not train third-party AI models on customer data.
- We do not transmit screenplays, treatments, or creative content to external AI APIs.
- We do not sell customer data to advertisers or data brokers.
- We do not retain deleted customer content beyond backup rotation windows (documented in the DR/BCP).
- We do not permit direct database access to anyone outside the engineering team.
Reporting a Vulnerability
Security researchers and users who identify a vulnerability are asked to disclose responsibly by emailing security@developumaiengine.com. Please do not publicly disclose until we have had reasonable time to remediate (typically 30-90 days depending on severity). We do not currently operate a paid bounty program, but we credit disclosures publicly if the researcher requests it.
More Detail
For the full security posture — access control policy, change management policy, incident response plan, DR/BCP with RTO/RPO metrics, and system evidence — see our Trust Center or write to security@developumaiengine.com for the auditor package.