Security Practices

Security

Security practices and controls implemented for Visaprep Agent, covering application security, data protection, infrastructure, and vendor security posture.

Last updated: May 29, 2026

This page is no-indexed pending attorney review before publication.

Status

Pending attorney review

Scope

Application, data, AI, payments, and vendors

Contact

support@visaprepagent.com

1. Controls in place

  • Row-Level Security (RLS) on all Supabase database tables - application code cannot access rows it is not authorized for, even if a query is crafted incorrectly.
  • HTTPS / TLS 1.2+ on all connections - data in transit between your browser, our API, and third-party services is encrypted.
  • Cloudflare WAF and DDoS mitigation - the web layer is protected by Cloudflare's edge network before requests reach our infrastructure.
  • Parameterized SQL only - no raw string query construction anywhere in application code, eliminating SQL injection risk.
  • Secrets in AWS SSM Parameter Store (production) and environment variables (development, gitignored) - no credentials are hardcoded in source.
  • AWS IAM with OIDC for CI/CD - GitHub Actions uses short-lived OIDC tokens to deploy; no long-lived AWS access keys exist.
  • Point-in-Time Recovery (PITR) enabled on the production database - supports recovery from accidental data loss or corruption.
  • AWS CloudWatch monitoring with budget alerts - anomalous usage patterns trigger alerts before they become incidents.

2. Security principles

  • Use administrative, technical, and organizational safeguards designed to reduce unauthorized access, disclosure, alteration, or loss.
  • Limit access to systems and user data based on operational need.
  • Use service providers that support secure authentication, storage, payment processing, AI processing, and platform operations.
  • No internet-based service can guarantee absolute security.

3. Security contact

Security questions or suspected vulnerabilities can be reported to support@visaprepagent.com. Please do not include unnecessary personal data in the initial report.