Security
AltBrain is built with security as a foundation, not an afterthought. Here are the technical details of how we protect your data.
Authentication
MCP connections use OAuth 2.1 with PKCE (Proof Key for Code Exchange) for secure authorization. This is the same protocol used by major platforms for third-party app connections. Access tokens are time-limited with secure refresh flows.
Transport security
All traffic is encrypted using TLS 1.2 or higher. We enforce HSTS with a 2-year max-age and preload directive, ensuring browsers always use secure connections.
Security headers
| Header | Value |
|---|---|
| Content-Security-Policy | Strict CSP with nonce-based scripts |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | Restrictive feature policy |
| Cross-Origin-Embedder-Policy | credentialless |
| Cross-Origin-Opener-Policy | same-origin |
EU data residency
| Service | Provider | Region |
|---|---|---|
| Database | Supabase (PostgreSQL) | Ireland (eu-west-1) |
| File Storage | Backblaze B2 | Netherlands (eu-central-003) |
| Application | Vercel | Global CDN, EU origin |
Database security
Row Level Security (RLS) is enforced at the PostgreSQL database level. Every query is scoped to the authenticated user \u2014 even if application code has a bug, the database won't return data you're not authorized to see.
File upload security
Uploaded files go through magic-byte validation (checking the actual file contents, not just the extension) and are matched against an allowlist of safe file types. Files are stored in isolated paths with signed URLs for access.
Rate limiting
MCP endpoints are rate-limited to 60 requests per 60 seconds per connection. API routes have separate rate limits. Rate limit responses use standard HTTP 429 or JSON-RPC error codes.
Monitoring
We use Sentry for error monitoring with PII (personally identifiable information) disabled. All API inputs are validated using Zod schemas before processing.
Found a security issue? Contact us at support@altbrain.io