Security & Trust
Last updated: June 12, 2026 · DRAFT — requires attorney review before launch
Brandkept is an organizational and tracking tool. It does not provide legal, tax, financial, or compliance advice. Nothing in Brandkept constitutes legal advice. Always consult qualified professionals for your specific situation.
1. Overview
Brandkept stores some of the most sensitive data a family can have: income records, trust account details, child information, and OAuth access tokens for creator platform accounts. We take that responsibility seriously.
Our security model is built on the principle that child financial data deserves banking-grade protection. Every data access decision — from database queries to OAuth token storage — is designed with least-privilege access and an assumption that no system is immune to compromise.
This page describes the security measures we have in place, the standards we follow, and how to contact us if you discover a vulnerability.
2. Infrastructure Security
SOC 2 Type II Certified Providers
Brandkept is built on infrastructure from providers that have achieved SOC 2 Type II certification — the industry standard for security, availability, and confidentiality controls. Our infrastructure stack:
| Provider | Role | SOC 2 Status |
|---|---|---|
| Supabase | Database, Auth, Storage | SOC 2 Type II ✓ |
| Vercel | Web hosting, CDN, Edge functions | SOC 2 Type II ✓ |
| Stripe | Payment processing | SOC 2 Type II + PCI DSS Level 1 ✓ |
| Resend | Transactional email | SOC 2 Type II ✓ |
Data Residency
All Brandkept customer data is stored in the United States. Our primary Supabase instance is hosted in US-East-1 (AWS us-east-1). We do not transfer personal data to servers outside the United States without explicit disclosure.
Brandkept SOC 2 Roadmap
Brandkept itself is a startup and does not yet hold its own SOC 2 certification. We are targeting a SOC 2 Type I assessment at approximately $10,000 MRR, followed by a Type II audit. We disclose this transparently so you can make an informed decision about using our service. Our reliance on SOC 2 Type II certified sub-processors is the current mitigation for this gap.
3. Encryption
In Transit — TLS 1.2+ (1.3 Preferred)
All data transmitted between your browser or mobile app and Brandkept's servers is encrypted using TLS 1.2 at minimum, with TLS 1.3 preferred and enforced where supported. This includes all API calls, form submissions, and file uploads. Vercel's edge network enforces HTTPS for all requests and rejects unencrypted connections.
At Rest — AES-256 (Supabase Managed)
All data stored in Supabase — including database records, uploaded documents, and system backups — is encrypted at rest using AES-256. This is managed by Supabase's infrastructure on AWS, which uses AWS-managed encryption keys. Encryption at rest protects your data if physical storage media is ever compromised.
Field-Level Encryption — AES-256-GCM
OAuth access tokens and refresh tokens for connected creator platform accounts (YouTube, TikTok, Instagram, Twitch) are encrypted at the application layer using AES-256-GCM before being stored in the database. This means that even if someone gained access to the raw database, they could not read your platform credentials without also having Brandkept's encryption key.
The encryption key is stored separately from the database, in environment secrets managed by Vercel.
4. Access Controls
Row-Level Security (RLS) on Every Table
Every database table containing user or child data has Row-Level Security policies enforced at the database layer. This means Supabase's Postgres engine enforces that a user can only read, write, or delete rows belonging to their own account — even if an application-level bug accidentally passes the wrong user ID. RLS is the last line of defense and cannot be bypassed by application code.
Multi-Factor Authentication (MFA)
Brandkept supports multi-factor authentication and strongly recommends it for all accounts. Because Brandkept stores children's financial data, we recommend MFA as a non-negotiable security practice. MFA can be enabled at Settings → Account → Security.
Audit Logging on Minor Data
Every create, update, and delete action on data involving a child — including income records, brand deals, Coogan calculations, and trust accounts — is recorded in an append-only audit log. The audit log captures the user ID, action type, affected record, timestamp, IP address, and user agent. Audit log entries cannot be modified or deleted through the application interface.
Principle of Least Privilege
Internal systems and team members only have access to the minimum data necessary to perform their function. The application's database connection uses a scoped service role for administrative operations and the public anon key for user-facing requests, with RLS enforcing user isolation. No individual has standing access to read user data for routine operations.
5. Data Retention & Deletion
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Life of account | Service delivery |
| Under-13 data after cancellation | Deleted within 90 days | COPPA compliance |
| 30-day soft-delete window | 30 days from deletion request | Reversibility (account recovery) |
| Payment records | 7 years | Federal / state tax law requirement |
| Audit logs (minor data) | 3 years post-closure | COPPA, state privacy law |
| Backup systems | Overwritten within 30 days | Rolling backup cycle |
For detailed information on how to exercise your right to delete, see our Right to Delete page.
6. Incident Response
Detection Target: 24 Hours
Our internal target for detecting a security incident is 24 hours from the time an anomaly becomes visible in our monitoring systems. PostHog analytics and Supabase's built-in monitoring provide baseline anomaly detection. We are adding Sentry error monitoring as we scale.
Breach Notification: 30 Days
In the event of a confirmed breach affecting personal data, we will notify affected users within 30 days as required by applicable state breach notification laws. Many states (including California, Texas, and Virginia) have shorter notification windows — we target 30 days as a conservative upper bound and will notify sooner if possible.
Notification will be sent to the email address on your account. It will describe what data was affected, what we are doing in response, and what actions you should take.
Breach Counsel and Forensics
We are identifying breach counsel and a forensic investigation firm as part of our pre-launch security planning. Because we handle children's data, we are treating incident response readiness as a mandatory operational requirement, not a post-funding upgrade.
7. Responsible Disclosure
If you discover a security vulnerability in Brandkept, we ask that you report it to us responsibly before disclosing it publicly. We take all security reports seriously, particularly those involving children's data.
Our commitments to security researchers:
- We will respond to all good-faith vulnerability reports within 48 hours
- We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices
- We will work with you to understand and validate the issue before any public disclosure
- We will credit researchers who report valid vulnerabilities (with permission)
- We will provide status updates as we work to remediate the issue
Bug Bounty Program: We do not currently have a formal bug bounty program. As Brandkept grows, we plan to establish one. If your report leads to a significant finding, we will recognize that at our discretion. Priorities are protecting children's data first; monetary rewards are secondary.
Please do not test for vulnerabilities against production accounts belonging to real users. If you need a testing environment, contact security@brandkept.com and we will set one up for you.
8. Compliance Frameworks We Follow
Brandkept's security and privacy practices are designed around the following regulatory frameworks:
COPPA — Children's Online Privacy Protection Act (2025 Amendments)
Federal law governing online collection of data from children under 13. Brandkept is designed as a COPPA-compliant platform with parents as account controllers, no direct child accounts, and mandatory parental consent flows.
CCPA / CPRA — California Consumer Privacy Act and Privacy Rights Act
California's comprehensive privacy law giving California residents rights to access, delete, and opt out of sale of their personal information. Brandkept does not sell personal data.
State Minor Privacy Laws
We monitor child influencer protection laws in all 50 states, including California (SB 1247), Arkansas (Child Influencer Protection Act), Tennessee, Illinois, Minnesota, Utah, and New Mexico. Our compliance dashboard is updated as new laws take effect.
CDPA, CPA, CTDPA, UCPA, TDPSA — State Adult Privacy Laws
Virginia, Colorado, Connecticut, Utah, and Texas consumer data protection acts. We honor deletion and access rights under these laws for account holder data.
GDPR — General Data Protection Regulation (Limited Support)
Brandkept is a US-focused product. We do not actively market to EU residents and our infrastructure is US-based. If EU residents use the service, we apply GDPR-equivalent protections as a best-effort practice. Full GDPR compliance (including DPO appointment and EU Standard Contractual Clauses) is planned for our international expansion phase.
9. Contact
Questions about security, to report a vulnerability, or to request our security documentation:
Brandkept
Security: security@brandkept.com
Privacy: privacy@brandkept.com
Support: support@brandkept.com