Security at Smoothly

Security is foundational to Smoothly. We host customer code, authentication tokens, and project data, and we take that responsibility seriously. This page describes the controls we have in place today, the standards we are working toward, and how to reach us about security concerns.

1. Compliance Status

We are actively working toward the following certifications:

• SOC 2 Type II — target: Q4 2026
• ISO 27001 — target: Q4 2026
• GDPR compliance — in effect today, with EU data residency for primary storage

Our infrastructure providers (Vercel, Supabase, Cloudflare, Stripe) maintain SOC 2 Type II and ISO 27001 certifications, and our architecture is designed to be compatible with our forthcoming audits without major rework.

2. Infrastructure Security

• Hosting: Application served by Vercel with TLS 1.2+ enforced and HSTS enabled. DNS and edge protection by Cloudflare.
• Database: Supabase (PostgreSQL) hosted in the EU, encrypted at rest with row-level security (RLS) enforced on all customer-scoped tables.
• Object storage: Cloudflare R2 (Western Europe region) with server-side encryption for all stored project files and assets.
• Sandboxed execution: Customer-generated code runs in isolated Modal containers, never on shared infrastructure.
• Secrets: Managed through Vercel and Supabase secret stores. No secrets are committed to source control.
• Access control: Production access is restricted to the founder. All admin actions are logged.

3. Code Security

• CI gates: Every pull request is gated by lint, type check, and full test suite before merge.
• AI code review: Pull requests are scanned by CodeRabbit for security issues, regressions, and risky patterns before human review.
• Dependency scanning: GitHub Dependabot monitors dependencies and opens PRs for vulnerable packages. Critical and high-severity advisories are resolved within 7 days.
• Secret scanning: GitHub secret scanning and push protection are enabled on the repository.
• Branch protection: The main branch requires status checks, code review, and a clean CI pipeline before merge.
• Static analysis: TypeScript strict mode, ESLint with security plugins, and regular manual security audits.

4. Data Protection

• EU data residency: Primary database, file storage, and logging are hosted in the European Union.
• Encryption in transit: All connections use TLS 1.2 or higher.
• Encryption at rest: Database, object storage, and backups are encrypted at rest.
• No AI training on customer data: We do not use customer code, prompts, or generated content to train any AI model. Anthropic does not retain or train on data sent through our API integration.
• Data subject rights: You may request access, export, correction, or deletion of your data at any time. See our Privacy Policy for details.
• Data retention: Account data is retained for the lifetime of your account and deleted within 30 days of account closure, subject to legal retention obligations.

5. Incident Response

We maintain a documented incident response process. In the event of a confirmed security incident affecting your data, we will notify affected customers without undue delay and within 72 hours of becoming aware, in accordance with GDPR Article 33.

To report an active incident or suspected breach, contact incident@smoothly.dev.

6. Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in Smoothly, please report it to security@smoothly.dev.

We ask that you:

• Give us reasonable time to investigate and remediate before any public disclosure
• Avoid privacy violations, data destruction, or service degradation
• Do not exploit a vulnerability beyond the minimum necessary to demonstrate it

We will acknowledge your report within 3 business days and aim to provide a substantive response within 10 business days. A formal bug bounty program is on our roadmap.

Our standard contact information for security researchers is also published at /.well-known/security.txt (per RFC 9116).

7. Subprocessors & Data Processing

For a complete list of vendors that process customer data, see our Subprocessors page. Business customers can sign our standard Data Processing Agreement.

8. Contact