Trust & Safety

Security at CloseDraft

We protect your data with the same vigilance you protect your client relationships. Every layer is designed with encryption, isolation, and integrity.

Strong Encryption

AES‑256 at rest, TLS 1.3 in transit. Gmail refresh tokens are individually encrypted with a unique key.

Data Isolation

Every database query is scoped to your user ID via Supabase Row Level Security. No cross‑user data access possible.

Resilient Backups

Daily encrypted snapshots retained for 90 days, with point‑in‑time recovery. Backups are stored in separate regions.

Infrastructure & Network

Hosted on Render with built‑in DDoS mitigation

Cloudflare DNS & CDN for global availability

All traffic encrypted via HTTPS (TLS 1.3)

Automatic OS & dependency security patches

Supabase PostgreSQL with Row Level Security

SSL‑enforced database connections with connection pooling

Point‑in‑time recovery enabled up to 7 days

Database backups encrypted at rest and transmitted securely

API & Authentication Security

Bearer Token Authentication

Every API endpoint is gated. Only valid Supabase‑issued JWTs can access resources, and they are always scoped to your user ID.

Rate Limiting

Auth endpoints (login, password reset) are rate‑limited to prevent brute‑force attacks. General API rate limits ensure fair use.

CORS Policy

Cross‑origin requests are restricted to our official domains, preventing unauthorized websites from making API calls on your behalf.

Input Validation & Sanitization

All user inputs are validated and sanitized to prevent injection attacks (SQL, NoSQL, XSS).

AI & Email Integration Security

Google Gemini Integration

Only context (client name, business, project, type, tone) is transmitted. No sensitive payment or auth data. Google does not use your prompts for model training. Responses are cached locally to reduce exposure.

Gmail OAuth & Token Storage

We request only send + inbox read (for reply detection). Refresh tokens are encrypted with AES‑256‑CBC using a secure key unique to your environment. Tokens are deleted immediately upon disconnection.

Discord & Telegram Notifications

Discord Bot

Only your Discord ID, username, and a private channel ID are stored to deliver notifications. The bot cannot read or access any server messages. Channel creation uses restricted permissions visible only to you and the bot.

Telegram Bot

A one‑time link token connects your account. Only your Chat ID is stored. The bot cannot send messages unless you initiate the connection, and all identifiers are deleted when you disconnect.

Chrome Extension

The CloseDraft Chrome Extension injects a “Generate” button into Gmail’s compose window. It only accesses the recipient’s email address to match it with your CloseDraft client list. No email content is read, stored, or transmitted. The extension requires minimal permissions and uses Manifest V3.

Payment Security

All payments are processed by Polar.sh, a PCI‑DSS Level 1 compliant payment processor. CloseDraft never receives, stores, or transmits your full credit card number. We only store a payment status reference and subscription ID.

Report a Security Vulnerability

We take security reports seriously. If you discover a potential vulnerability, please contact us immediately at:

closedraft@gmail.com

We aim to respond within 48 hours. Please allow us a reasonable period to investigate and address the issue before disclosing it publicly.