Security Overview
Last updated: 28 February 2026
Security at a glance
- AI usage transparency. AI features generate assistive outputs and require user review before use.
- Encrypted in transit. All connections use HTTPS/TLS.
- Stateless auth verification. API requests are verified against Supabase Auth (no client-side JWT trust).
- Abuse prevention. Dual rate limiting (IP + account) with pro-aware limits and safe fallbacks.
- Admin protection. Admin access is enforced via database checks (not UI-only rules).
- Webhook integrity. Stripe webhooks are verified using signature validation.
- Input validation & size limits. Requests enforce payload limits and allowlists to reduce misuse.
- No card data stored. Payments are handled by Stripe (PCI-compliant).
1. Security Approach
Framelance is built with security as a core principle. We apply reasonable technical and organisational safeguards designed to protect user data, maintain system integrity, and reduce the risk of unauthorised access.
No system is 100% secure, but we continuously improve controls and respond promptly to issues that arise.
2. Infrastructure
- Managed authentication and database infrastructure via Supabase
- Environment separation for production and development
- Secure secrets handling (keys are never embedded in client code)
- Operational monitoring and backups to support availability and recovery
3. Authentication & Access Control
- Secure user authentication managed by Supabase Auth
- Stateless token verification on protected API routes
- Admin-only areas are protected with database-level authorization checks
- Row-level security (RLS) policies on database tables where applicable
4. Data Protection
- Encryption in transit across all services
- Request size limits and input allowlists to reduce abuse
- File uploads are validated using type allowlists and signature checks
- Deactivated accounts are blocked from using AI features until restored
- Regular dependency and security updates
- Data minimisation: we collect only what we need to operate the Service
5. Payment Security
Payments are processed by Stripe, a PCI-compliant payment provider. Framelance does not store, log, or have access to full payment card details.
6. AI Processing
When AI features are used, relevant input data is transmitted securely to OpenAI (or our AI service provider at the time) over encrypted connections to generate the requested output.
AI-generated outputs are assistive and may not always be accurate or suitable for every context. Users remain responsible for reviewing and validating outputs before using them in client communication, pricing decisions, or other professional activities.
Important: Framelance does not use your private workspace content to train its own AI models. Our AI provider’s processing is governed by their terms and applicable contractual safeguards.
For more details, see our Privacy Policy.
7. Incident Response
In the event of a security incident affecting personal data, we take appropriate steps to investigate, mitigate, and restore service. Affected users and, where applicable, relevant authorities will be notified in accordance with applicable law (including within 72 hours under UK GDPR where required).
Business customers may also refer to our Data Processing Addendum for breach notification commitments.
8. Your Responsibility
Users are responsible for maintaining strong, unique passwords and protecting account credentials. Do not share login details. If you suspect unauthorised access, contact us immediately.
9. Vulnerability Reporting
If you discover a potential security vulnerability in Framelance, please report it responsibly by emailing support@framelance.com with a clear description and reproduction steps (if available).
Security issues can also be reported to security@framelance.com.
- Please avoid social engineering, phishing, or physical attempts to access systems.
- Please do not access or exfiltrate data that does not belong to you.
- Please do not publicly disclose vulnerabilities before we have a reasonable opportunity to fix them.