Security

Last updated: 2026-04-27

How we protect your account, your API keys, and the metadata we handle on your behalf. For the complete data-handling contract see the Data Processing Agreement and Privacy Policy.

Encryption in transit

All connections to api.mentionsapi.com, mentionsapi.com, and our Supabase Edge Functions are TLS-only (TLS 1.2+). HTTP requests are upgraded to HTTPS at the edge. HSTS is enforced.

API keys

  • Plaintext tokens are shown once at creation. Only a hash is stored server-side; recovery of a lost key is not possible — rotate or revoke instead.
  • Keys are scoped to a single account. We do not support shared keys across accounts.
  • Authentication is bearer-token over TLS. Keys can be revoked instantly from the Keys page; revocation propagates to the edge in under a minute.
  • We log key prefixes (e.g., lvk_live_Svvd…) for audit. We never log full tokens.

Wallet & billing integrity

  • Balance deduction is atomic — implemented as a single guarded UPDATE statement on the Postgres side. Wallets cannot go negative under any concurrency.
  • Idempotency keys prevent duplicate charges on client retry. Replays return the original response with idempotency-replay: true and no additional billing.
  • Card details never reach our servers — they are tokenized by Stripe Checkout. We retain only the Stripe customer ID and the last 4 digits for display.
  • All wallet movements (top-ups, deductions, refunds) write audit rows with the request_id for traceability.

Database isolation

  • Customer data lives in a Postgres database with row-level security (RLS) enforced on every table that holds account-scoped rows. Authenticated users see only their own rows.
  • Service-role access is restricted to the Worker and Edge Functions via the Supabase service-role key, which is held in encrypted secret stores and never exposed in client-side code.
  • Migrations are version-controlled, reviewed, and applied through CI; no manual schema changes in production.

Worker isolation

The API runs on Cloudflare Workers, where each request executes in a fresh V8 isolate. This prevents cross-request memory leakage. Worker secrets (Stripe key, Supabase service-role key, shared proxy auth tokens) are accessible only to the Worker runtime and never exposed to client code.

Webhook signing

Watch webhook deliveries are signed with HMAC-SHA256 using the secret you provide on creation. The signature follows the Stripe-style t=<ts>,v1=<sig> scheme so you can verify the timestamp and prevent replay attacks. Verification examples in three languages are available in the webhook docs.

Webhook secret encryption

Webhook signing secrets are encrypted at rest using pgcrypto with envelope encryption. The vault key is held outside the primary database and rotated on schedule. Secrets are only decrypted in-memory at delivery time and never logged.

No raw query/response logging

We do not store request bodies (your queries) or response bodies (the AI answers we return) beyond the brief in-memory window required to deliver the call. Our caches store responses keyed by hash with mode-specific TTLs (5 min L1, 1 hour L2, 24 hour L3) and are purged on schedule. Cached responses are bound to the originating account.

Rate limiting & abuse

  • Per-key, per-mode rate limits enforced at the edge: quick 60/min, *_live 10/min, deep 2/min.
  • Cloudflare WAF rules block common automated abuse patterns (request floods, malformed payloads, known scraper user agents).
  • Per-account daily spend caps available on request to protect against runaway scripts.

Audit logging

Sensitive operations — key creation, key revocation, top-ups, refunds, watch creation, watch deletion — are logged to an append-only audit table with the request_id, account_id, timestamp, and IP address. Logs are retained 90 days.

Incident response

We monitor error rates, upstream provider availability, and unusual usage patterns continuously. On detection of a security incident affecting customer data we follow GDPR Art. 33 timing (notification within 72 hours of confirmed awareness) and the terms in our DPA Section 7. Status updates are posted at status.mentionsapi.com.

Reporting a vulnerability

We welcome responsible disclosure. Email [email protected] with reproduction steps. We respond to confirmed reports within 5 business days. We do not currently run a paid bug bounty program but credit reporters in our security changelog by request.

What we do not claim

We are an early-stage independent provider. We do not currently hold SOC 2, ISO 27001, or HIPAA certifications. If your compliance posture requires those, we're probably not the right fit yet — talk to us at [email protected] and we'll be honest about timelines.