SECURITY POSTURE

How AEOlens handles your data

A plain-English overview of how AEOlens stores, transmits, and protects the URLs and content you scan. No legal-form prose — just what we actually do.

Last updated 2026-06-06

01.

What we collect and don't

AEOlens stores three categories of data: your account (email, name, hashed password if you signed up with password auth), your workspace state (organization details, members, project domains, scan history, simulation results), and page content we crawl for the URLs you submit.

We do not collect or process: payment-card numbers (handled by our payment processor — we never see them), end-user data from your customers, browsing history outside what you explicitly submit, or device fingerprints beyond standard server logs.

02.

Encryption in transit and at rest

  • All traffic to aeolens.ai and the API uses TLS 1.2+ with HSTS enabled. The certificate is publicly verifiable.
  • Database storage (Supabase Postgres) is encrypted at rest using AES-256.
  • Object storage for PDF exports and HTML caches uses server-side AES-256 encryption.
  • API keys are stored as SHA-256 hashes — the raw token is shown only once at creation time and never recoverable from the database.
  • Background-job queues (Redis) are TLS-encrypted; we use Upstash with rest.encryption enabled.
03.

SSRF protection on every crawl

The crawler is the highest-risk surface in an AEO platform: it follows user-supplied URLs. AEOlens enforces multiple layers to prevent server-side request forgery (SSRF):

  • URLs are validated for scheme (http/https only) and rejected if the resolved IP is private (RFC 1918), loopback, link-local, or in a documented metadata range (169.254.169.254 etc).
  • We resolve the hostname twice: once at request time and again immediately before connecting, to close the DNS-rebinding window.
  • The Playwright JS-rendering path runs in a sandboxed Chromium with the same private-IP guard applied to page.goto before navigation begins.
  • Every crawl carries a unique user-agent (AEOlens/1.0; +https://aeolens.ai/bot) so target site operators can identify and rate-limit us if needed.
04.

Workspace isolation

Every scan, simulation, and project belongs to exactly one workspace (organization). Database access is enforced at multiple layers:

  • Backend endpoints verify workspace membership before reading or mutating any resource — see get_org_for_scan and equivalents in the codebase.
  • Supabase Row-Level Security policies provide a second layer of defence on tables that store per-user state (notifications, API keys, billing preferences).
  • Public scan results (the unauthenticated funnel) live in a separate Redis namespace, never the authenticated scans table. They expire after 30 days.
  • Member roles (Owner / Admin / Member / Viewer) gate destructive actions — viewers cannot initiate scans, simulations, or exports.
05.

AI crawler and model usage

AEOlens itself runs AI models for the buyer-simulation feature. We use OpenRouter as a routing layer to query ChatGPT, Perplexity, Gemini, Claude, and Grok. Important constraints:

  • We send the AI model the buyer query text and (for Claude only) a snippet of the customer's own extracted page content. We do notsend the full crawled HTML or any data from other customers' scans.
  • OpenRouter does not train on routed prompts by default; the provider-side data-handling policy for each underlying model applies (linked from OpenRouter's data-handling page).
  • We honour llms.txton third-party domains where present — if a site asks us not to index, we don't.
  • A circuit-breaker pattern around the OpenRouter client protects against model outages — a hung model does not freeze concurrent simulations.
06.

Data retention

  • Scan history is retained per plan: Free / Starter 14 days, Growth 90 days, Agency 365 days. Older HTML caches and PDF artefacts are purged by a daily sweep job.
  • Public scan results (anonymous funnel) live in Redis with a 30-day TTL.
  • Account data is retained while the account is active; account-deletion requests purge profile + workspace state within 30 days.
  • Server logs (HTTP access, error, and request-correlation IDs) retain 30 days, then rotate out.
07.

Subprocessors

AEOlens uses the following third-party services. Each link points at the provider's own security and data-handling documentation:

  • Supabase — managed Postgres + auth (SOC 2 Type II).
  • Render — application hosting (SOC 2 Type II, GDPR-compliant DPA).
  • Upstash — managed Redis for rate-limit counters and short-lived job state.
  • OpenRouter — AI model routing for buyer simulations and AI rewrites.
  • Resend — transactional email delivery.
  • Dodo Payments — billing, subscription, and invoice handling. We never store card numbers.
  • Sentry — error monitoring. Stack traces and request metadata only; never PII.
  • PostHog — product analytics. Self-hosted instance; cookieless mode for marketing pages.
08.

Vulnerability disclosure

If you find a security issue, please email contact@aeolens.ai with a description, reproduction steps, and ideally a suggested mitigation. We aim to acknowledge reports within 2 business days and respond with a remediation plan within 14 days for high-severity issues. We do not currently run a paid bug-bounty program but credit researchers publicly with permission.

Please don't run automated scanners against production. We monitor for them and you'll get rate-limited fast. If you want to do active testing, ask first — we can spin up a sandbox.

09.

What we don't claim

In the spirit of honest copy: AEOlens is not SOC 2 certified yet. We're an early-stage product. We have a security posture(the items above) but no third-party attestation. We're working on it; we'll publish here when it lands. If SOC 2 is a hard procurement requirement for your team today, please reach out before signing up.

10.

GDPR and data location

  • Customer data is processed in us-east-1 (Supabase) and Oregon (Render). EU customers can request EU-only processing — we route to Supabase eu-west-1 if requested, with the same backups and retention policy.
  • Standard Contractual Clauses cover the EU-US data flow where required.
  • EU customers can exercise GDPR rights (access, deletion, portability) via the in-app account-deletion flow or by emailing the address above.

Have a deeper security or procurement question?

We'll happily walk through specifics — VPC questions, DPA signing, EU residency, retention overrides for Agency-plan customers.

Contact security