Trust
How SaliencyLab handles access, uploads, AI processing, vendor relationships, and incident response. Written to be concrete about current practice and clear about what is not yet claimed.
Last updated: April 20, 2026
Workspace views sit behind authenticated routes. Media access is handled through short-lived signed URLs (15-minute TTL) rather than public bucket links. Role-based access (owner / admin / editor / viewer) is enforced in the product.
All traffic is served over TLS 1.3. Data at rest is encrypted with AES-256 (Supabase managed Postgres and Storage default). Backups are encrypted with the same standard.
Row-level security (RLS) policies enforce workspace isolation at the database layer. Every privileged operation (for example, pro_override) is recorded in an audit log.
Creative analysis is run on Google Cloud Vertex AI and related Google Cloud services. Per Vertex AI terms, customer inputs are not used to train foundation models. Full sub-processor list at /legal/sub-processors.
Primary database and object storage run in Supabase EU (Frankfurt). Select operational sub-processors (Vercel, Stripe, Resend, PostHog, Sentry) are US-based or multi-region. Cross-border transfers are covered by SCCs per our DPA.
Most recent independent penetration test: April 2026 (internal review plus Codex agent-driven scan). Summary available to enterprise prospects on request under NDA.
Email addresses for authentication, uploaded creative assets (images and videos) for analysis, and usage analytics. No payment card data is stored on our infrastructure — all payment processing is handled by Stripe.
Uploaded creatives are processed through Supabase Edge Functions (Deno runtime) and sent to Google Cloud Vertex AI for analysis. Processing happens in real time, and results are stored alongside the original upload in the private workspace.
Primary database and object storage in Supabase EU (Frankfurt) with row-level security. Creative assets are stored in private Storage buckets with signed URL access. Database backups run daily and are retained for up to 30 days.
Creative assets and analysis results are retained while the account is active. Users can delete individual analyses or the entire account at any time. Deleted data is removed from active systems within 30 days; backup rotation completes within 90 days.
Google Vertex AI (Gemini 2.5 Flash and Pro) for multimodal creative analysis, Google Cloud Video Intelligence for shot detection, Google Cloud Speech-to-Text for audio transcription. All AI processing runs on Google Cloud infrastructure.
Uploaded images and video frames are sent to Vertex AI with structured prompts. Video audio is sent to Speech-to-Text for transcription. No other customer data is included in model requests.
Google Vertex AI does not use customer data for model training when accessed via the API. SaliencyLab does not train its own models on customer uploads. Outputs are returned per-request and stored only in the customer workspace.
Production systems are monitored via Sentry for error spikes, Supabase observability for database health, and Vercel for runtime issues. Critical alerts page the on-call engineer.
In the event of a personal data breach affecting Customer Content, account owners will be notified by email without undue delay, and in any event within 72 hours of awareness. Full obligations are set out in the DPA.
Security researchers can report vulnerabilities to contact@saliencylab.com. We commit to acknowledging within 3 business days and requesting a 90-day embargo before public disclosure while we investigate and remediate.
SaliencyLab's production TLS config and HTTP security headers are continuously audited by public scanners. We don't ship static badges — the following links run a fresh scan against our live domain on demand, so the result reflects current state, not what we claim. Re-run any of them any time.
Deep TLS / certificate / cipher-suite analysis. Checks protocol support, key strength, known vulnerabilities (Heartbleed, POODLE, etc.), and certificate chain correctness.
Run a live SSL Labs scan →Mozilla's security-headers scanner. Grades CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, cookie flags, and subresource integrity.
Run a Mozilla Observatory scan →Scott Helme's scanner. Lightweight headers grade (A+ through F) with specific missing-header callouts.
Run a SecurityHeaders scan →Current header configuration (April 2026):
max-age=63072000; includeSubDomains; preload — enrolled in the Chrome HSTS preload list.frame-ancestors 'none' blocks iframe embedding.strict-origin-when-cross-origin.DENY (clickjacking protection).nosniff.If a live scan ever returns below A on any of the above, that's a regression and we want to hear about it — contact@saliencylab.com.
SaliencyLab does not yet hold SOC 2 Type II or ISO/IEC 27001 certifications. We inherit the underlying compliance posture of our primary infrastructure providers:
A SaliencyLab-level certification roadmap will be shared with enterprise prospects under NDA on request. Until then, we are transparent that certifications are inherited, not independent.
Our Data Processing Addendum (DPA) is published at /dpa and can be countersigned by enterprise customers. It covers controller/processor roles, sub-processor notice, Standard Contractual Clauses for international transfers, 72-hour breach notification, and deletion / return of data on termination.
The current sub-processor list is published at /legal/sub-processors.
Most enterprise reviews come down to four questions: who can access raw files, how media URLs are exposed, what vendors touch the content, and what claims the company is willing to make in a procurement process.
Last updated: April 20, 2026