Overview
At Stazion, security is fundamental to our mission of helping sales teams turn their own documents into proposals, quotes, and RFQ/RFx responses. This document describes the technical and organizational measures we implement to protect your data.
Stazion ApS (CVR 46244028) is based at Husumgade 31, 4. 15, 2200 København N, Denmark. This document complements our Privacy Policy and Data Processing Agreement.
Security Principles
Our security approach is built on:
- Defense in Depth: Multiple layers of security controls
- Principle of Least Privilege: Access limited to what is necessary
- Privacy by Design: Data minimization at every step
- Tenant Isolation: Each organization's data is separated at the database level
- Transparency: Clear communication about our practices
Data Encryption
Encryption at Rest
| Data Type | Encryption Method |
|---|---|
| Integration credentials (Microsoft OAuth tokens) | AES-256-GCM authenticated encryption |
| Database | Supabase (PostgreSQL) encryption at rest (AES-256) |
| File Storage | Supabase Storage encryption at rest (AES-256) |
| Backups | Encrypted automated backups |
Key Management:
- Encryption keys are managed separately from the data they protect
- Application-level secrets are stored outside the codebase as environment configuration
- Sensitive credentials are never written to logs
Encryption in Transit
| Connection | Protocol |
|---|---|
| User to Application | TLS (HTTPS enforced) |
| Application to Database | TLS encrypted connection |
| Application to APIs | TLS for all external APIs |
| Application to AI providers | TLS for all model and embedding calls |
Certificate Management:
- Certificates are automatically managed and renewed by our hosting platform
- HTTPS is enforced across the application
- Modern cipher suites only
Authentication & Access Control
User Authentication
- Supabase Auth: User sign-in is handled by our authentication provider
- Password Security: Passwords are hashed by the authentication provider and never stored in plain text
- Microsoft OAuth 2.0: Used to connect Microsoft 365 for sending email and Teams messages; OAuth access and refresh tokens are encrypted at rest
- Session Management: Secure HttpOnly session cookies with automatic expiration
- CSRF Protection: OAuth state is protected against cross-site request forgery
Authorization
| Control | Implementation |
|---|---|
| Role-Based Access Control | Defined roles (owner, admin, member) with specific permissions |
| Organization Isolation | Multi-tenant data separation enforced by row-level security |
| Audit Trail | Sensitive RFQ lifecycle actions recorded as audit events |
| Privileged Actions | Destructive RFQ mutations require owner or admin role |
Internal Access Control
- Employee Access: Strictly limited to operational necessity
- Production Access: Restricted to authorized personnel
- Vendor Access: No direct access to customer data
- Access Termination: Access promptly revoked when no longer required
Infrastructure Security
Cloud Platform
We host our infrastructure on enterprise cloud platforms, leveraging their security controls:
| Component | Provider | Security Features |
|---|---|---|
| Application Hosting | Vercel (serverless) | Managed runtime, automatic patching, isolated execution |
| Database | Supabase (PostgreSQL) | Row-level security, encryption, automated backups |
| File Storage | Supabase Storage | Access control, encryption at rest |
| Document Extraction | Google Cloud Document AI | Managed, EEA-region processing |
Data Location: The Controller's core data (account data, documents, and search indexes) is hosted within the European Economic Area (EEA). Database and storage are hosted in the EEA via Supabase; application hosting is in the EEA (Stockholm, Sweden) via Vercel.
Network Security
- Managed Network Controls: Application components run on managed cloud networks with platform firewalling
- DDoS Protection: Provided by our hosting platform
- Restricted Ingress: Only necessary endpoints are exposed
Platform Security
- Managed Runtime: Serverless managed environment
- Automatic Updates: Security patches applied by the platform
- Resource Isolation: Function-level and container-level isolation
Application Security
Secure Development
| Practice | Description |
|---|---|
| Code Review | Changes reviewed before merging |
| Dependency Management | Dependencies kept current and monitored for vulnerabilities |
| Static Analysis | Linting and TypeScript strict mode enforced |
| Testing | Automated unit and end-to-end test suites |
| Build Verification | Preflight and build-safety checks before deployment |
Input Validation
- Zod Schemas: API inputs validated with strict schemas
- SQL Injection Prevention: Parameterized queries and a managed Postgres client
- XSS Prevention: React's built-in escaping
- CSRF Protection: State protection on OAuth and state-changing operations
API Security
- Authentication Checks: Server routes verify the authenticated user before processing
- Input Size Limits: Maximum payload sizes enforced
- Error Handling: Generic error messages to users, with details logged internally
- Rate Limiting: Throttling applied to high-volume AI processing paths
Data Protection
Data Minimization
We collect only the data necessary to provide our service:
| Data Category | What We Collect | What We DON'T Do |
|---|---|---|
| Account | Email, display name, role, organization | Store passwords in plain text |
| Documents | Files you upload and the content extracted from them | Use your content to train AI models |
| RFQ/RFx | Line items, quotes, feedback, communications you send | Read content unrelated to the workflow |
| Analytics | Usage events and session identifiers (production only) | Run analytics on local or dev environments |
AI Processing
Document analysis, extraction, proposal generation, and search rely on third-party AI providers (Anthropic, OpenAI, Cohere, and Google Document AI). Relevant content is transmitted over TLS for processing. We do not use your content to train our own or any third party's general-purpose AI models, and our AI subprocessors are engaged under terms that prohibit using your content to train their models.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account Data | While the account is active |
| Organization Data | While the subscription is active |
| Uploaded Documents and Extracted Content | While the account is active, or until deleted |
| Integration Tokens | Until the integration is disconnected |
| Analytics | Up to 12 months |
| Logs | Limited period for security and troubleshooting |
Data Deletion
- User Request: Personal data deleted within 30 days of a verified request
- Account Termination: Data deleted within 30 days after the export period
- Document Deletion: Deleting a document removes its content and search indexes
Monitoring & Incident Response
Security Monitoring
| Capability | Implementation |
|---|---|
| Audit Logging | Sensitive actions (for example RFQ lifecycle events) recorded |
| Error Tracking | Application errors captured in hosting-platform runtime logs (Vercel, EEA) |
| Activity Records | Records maintained to support incident investigation |
Incident Response
Response Process:
- Detection: Automated monitoring or reported incident
- Triage: Assess severity and scope
- Containment: Isolate affected systems
- Investigation: Determine root cause
- Remediation: Fix the vulnerability and restore service
- Notification: Notify affected parties per DPA requirements
- Post-Mortem: Document lessons learned
Notification Timeline:
- Customer notification: Without undue delay, and no later than 48 hours after a confirmed Security Incident (per our DPA)
- Regulatory notification: As required by GDPR (72 hours)
Contact for Security Incidents
Email: vb@stazion.ai
Include:
- Description of the incident
- Time of discovery
- Systems or data involved
- Your contact information
Compliance
Current Compliance
| Standard | Status |
|---|---|
| GDPR | Compliant |
| Danish Data Protection Act | Compliant |
| Standard Contractual Clauses (for non-EEA transfers) | In place |
Compliance Roadmap
We are actively working to strengthen our security posture and pursue formal certifications (such as SOC 2 and ISO 27001) as we grow. Contact us for our current security assessment status or to complete a vendor security questionnaire.
Vendor Security
Subprocessor Assessment
Third-party vendors are reviewed for their security and privacy practices, and are bound by Data Processing Agreements before processing personal data on our behalf.
Current Subprocessors
A full list of subprocessors, including purpose, data categories, location, and transfer mechanism, is maintained in Annex B of our Data Processing Agreement. Core data stores (Supabase, Vercel, Google Cloud) are EEA-hosted; US-based AI and integration providers rely on Standard Contractual Clauses and/or the EU-US Data Privacy Framework.
Responsible Disclosure
We appreciate the security research community's efforts to improve security. If you discover a security vulnerability:
How to Report
Email: vb@stazion.ai
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (optional for anonymous reports)
Our Commitment
- Acknowledgment: We will acknowledge receipt within 48 hours
- Investigation: We will investigate and provide updates
- No Retaliation: We will not pursue legal action against good-faith researchers
- Recognition: With your permission, we will credit you
Scope
In Scope:
- app.stazion.ai and stazion.ai
- The Stazion application and API
- Authentication flows
Out of Scope:
- Third-party services (report directly to them)
- Social engineering attacks
- Physical security
- Denial of service testing
Security FAQs
Do you store my password?
No. Sign-in is handled by our authentication provider, which stores only a hashed version of your password. We never store passwords in plain text.
Do you use my documents to train AI models?
No. Your documents and queries are processed only to provide the Service. We do not use your content to train our own or any third party's general-purpose AI models, and our AI providers are contractually prohibited from using it to train theirs.
Where is my data stored?
Your core data (account data, uploaded documents, and search indexes) is hosted within the European Economic Area (EEA). Some AI processing providers are located outside the EEA, including in the United States, and are covered by appropriate transfer safeguards.
Who at Stazion can access my data?
Only authorized personnel with a legitimate operational need can access production systems.
Is my organization's data separated from other customers?
Yes. Each organization's data is isolated at the database level using row-level security, so one organization cannot access another's data.
What happens if Stazion is acquired?
Your data will be handled according to the Terms of Service and Data Processing Agreement. You would be notified of any ownership change.
Contact
For security, privacy, or legal questions:
Email: vb@stazion.ai
Mailing Address: Stazion ApS Husumgade 31, 4. 15, 2200 København N, Denmark