Security
1. Authentication
Authentication is handled by Clerk, an industry-standard auth provider used by thousands of production SaaS apps. Clerk handles password hashing (bcrypt, never stored in plaintext), session token issuance, and multi-factor authentication.
- Passwords meet OWASP recommended complexity requirements (8+ characters, mixed case, numerals).
- Multi-factor authentication (TOTP / authenticator app) is available on all paid plans and recommended for all users.
- Suspicious sign-in attempts trigger an email alert and may require step-up verification.
- Session tokens are short-lived JWTs signed by Clerk and validated on every API request.
2. Encryption
- In transit. All traffic between your browser, our application, and our backend is encrypted with TLS 1.2 or higher. We force HTTPS on every page via HSTS.
- At rest. Database storage at Supabase uses AES-256 encryption at rest. Backups are encrypted with the same standard.
- Sensitive credentials. Social-platform OAuth tokens are stored encrypted in our database. We never store your social-platform passwords — only short-lived access tokens granted by the platform during OAuth.
3. Data isolation (multi-tenancy)
Bimerge AI is a multi-tenant application — multiple workspaces share the same database. Data isolation is enforced at the row level by Postgres itself, not by application code. Every table that contains workspace data has a Row Level Security (RLS) policy that restricts read and write operations to members of that workspace.
Practically: even if an attacker compromised our application code, they could not read another workspace's data without also compromising the database itself. The database verifies the requester's identity (via the Clerk JWT in the request) before returning any row.
4. Access control
- Engineering access to production data is restricted to a minimal set of staff members and gated behind MFA.
- All production access is logged and reviewed quarterly.
- We do not use shared credentials. Every staff member has individual, attributable access.
- Workspace roles (Owner, Admin, Editor, Approver, Viewer) limit what each team member can read and modify within a workspace.
5. Sub-processors and infrastructure
We rely on a small number of audited third-party providers. Each is bound by a Data Processing Agreement and contractual confidentiality.
| Provider | Purpose | Region |
|---|---|---|
| Clerk | User authentication, identity, session management | USA |
| Supabase | Postgres database, storage, edge functions | USA / EU |
| OpenRouter (Anthropic) | AI content generation, scoring, repurposing | USA |
| Hostinger | Static frontend hosting + PHP runtime | EU |
| Stripe | Subscription billing and payment processing | USA / Ireland |
| Resend | Transactional email delivery | USA |
For a complete list of sub-processors and their certifications (SOC 2, ISO 27001, GDPR, etc.), see our Data Processing Addendum.
6. AI providers and your content
When you use AI features (Compose, Score, Repurpose), we send your prompt and any necessary context to OpenRouter, which routes it to the underlying model provider (Anthropic / Claude by default). Per OpenRouter's terms:
- Your content is not used to train any AI model.
- OpenRouter retains the request only for short-term abuse prevention (typically 30 days), then deletes it.
- The model providers (Anthropic, OpenAI, etc.) operate under enterprise data-handling agreements that prohibit training on user content.
7. Backups and disaster recovery
- Automated daily database backups, retained for 7 days on Free / Growth plans and 30 days on Pro / Agency plans.
- Point-in-time recovery available on Pro and Agency plans (restore to any second within the retention window).
- Backups are encrypted with AES-256 and stored in a separate region from primary data.
- Recovery time objective (RTO): 4 hours for primary services. Recovery point objective (RPO): 5 minutes (with PITR).
8. Incident response
If we detect or are notified of a security incident affecting customer data, we will:
- Investigate and contain the incident within 24 hours of detection.
- Notify affected customers without undue delay, and in any case within 72 hours of confirmation, where required by law (GDPR Article 33).
- Provide a written post-mortem describing the impact, root cause, and remediation steps.
9. Vulnerability disclosure
We take security reports seriously. If you discover a vulnerability, please email security@bimerge.online with a description, steps to reproduce, and your contact details. We will acknowledge within 2 business days and aim to triage critical issues within 24 hours.
We do not currently operate a paid bug-bounty program but we publicly thank responsible disclosers and will work with you on attribution where appropriate. We ask that you do not publicly disclose a vulnerability before we have had a reasonable opportunity to fix it.
10. Compliance and certifications
Bimerge AI is built on a foundation of providers that hold the following certifications:
- Clerk: SOC 2 Type II, GDPR-compliant, CCPA-compliant.
- Supabase: SOC 2 Type II, HIPAA-eligible, GDPR-compliant.
- Stripe: PCI DSS Level 1, SOC 2, ISO 27001.
- Hostinger: ISO 27001 certified data centres.
Bimerge AI itself is working toward SOC 2 Type I certification. We expect to complete the observation period in late 2026.
11. Your responsibilities
Security is shared. We protect the platform — you protect your account.
- Use a unique, strong password (or sign in with a passkey).
- Enable multi-factor authentication.
- Don't share your credentials with anyone, including Bimerge AI staff. We will never ask for your password.
- Review your active sessions periodically (Settings → Security → Active sessions) and revoke any you don't recognize.
- Use workspace member roles to limit what each teammate can do.
12. Reporting concerns
Found something that looks wrong, unsafe, or surprising? Tell us:
- Security vulnerabilities: security@bimerge.online
- Privacy / data concerns: privacy@bimerge.online
- General support: support@bimerge.online