Security

Application security

• API keys are stored only as SHA-256 hashes; we cannot recover lost keys
• All authenticated endpoints enforce row-level security in Postgres
• Server functions validate input with strict schemas before any database call
• CSRF, XSS, and SQL-injection mitigations on every form and API surface

Infrastructure

• Edge compute on Cloudflare Workers with isolation per request
• Managed Postgres on Supabase with automated daily backups and PITR
• TLS 1.2+ everywhere; HSTS preloaded
• Secrets stored in encrypted environment vaults — never in source

Operations

• Least-privilege admin access with mandatory hardware-key MFA
• Centralized audit logs retained for 1 year
• Quarterly access reviews and 24/7 on-call rotation
• Documented incident response with 72-hour breach notification

Compliance

NeuroAPI aligns with SOC 2 Type II controls and supports GDPR, UK GDPR, and CCPA workflows. Our Data Processing Addendum is available without signature.

We proudly respect robots.txt

Every outbound fetch — scrape, crawl, map, batch, search, extract, summary, screenshot, highlights, branding, interact, question, and all MCP tool calls — is gated by the target site's robots.txt. Disallowed URLs are rejected before any request leaves our network. Publisher crawl preferences are enforced as a platform-level guarantee, not a per-customer setting.

Responsible disclosure

If you discover a vulnerability, please email security@neuroapi.me. Include reproduction steps and impact. We commit to:

• Acknowledging your report within 2 business days
• Validating and triaging within 5 business days
• Patching critical issues within 7 days
• Public acknowledgement if you wish

Out of scope: denial-of-service, social engineering, physical attacks, and findings on third-party SaaS we use.