Security at Surveo.io

We take security seriously and design Surveo to follow industry best practices for protecting data. This page summarizes the technical measures we use and how we handle data in the platform.

Infrastructure and Hosting

Surveo is built on Vercel for application hosting and edge delivery, Supabase for database and authentication, and Postmark for transactional email delivery. These providers operate secure, managed infrastructure and maintain their own security programs and controls.

Data Isolation and Access Control

• Organization-level isolation ensures customer data is scoped to each workspace.
• Supabase Row-Level Security policies restrict data access to authorized members.
• Service-role access is limited to trusted server-side operations.

Authentication and API Security

• User authentication is handled by Supabase Auth.
• API keys are stored as hashes and verified server-side.
• Protected routes require authentication and membership checks.

Encryption

• Data in transit is protected using HTTPS/TLS.
• Data at rest is stored in managed infrastructure with provider-level encryption.

Email Invitation Security

• Invitation emails include unique, trackable links per recipient.
• Postmark webhook signatures can be verified to prevent spoofed events.
• Delivery events are logged for auditability.

Monitoring and Logging

We log operational events such as invitation sends and webhook activity to support troubleshooting, usage tracking, and abuse prevention.

Data Retention and Deletion

We retain data as long as needed to provide the Service. If you want data deleted or anonymized, or to exercise GDPR rights, contact hello@surveo.io. All requests must be sent there.

Responsible Disclosure

If you discover a security issue, please report it to hello@surveo.io with details and steps to reproduce. We appreciate responsible disclosure and will respond promptly.