Sign-in uses Supabase Auth (GoTrue) with JWT sessions. Tokens are stored in HTTP-only, Secure, SameSite cookies via the Supabase SSR client. Sign-in via Google or Apple uses OAuth 2.0 / OIDC; we never see provider passwords.

Passwords (when email/password sign-up is used) are hashed with bcrypt at industry-recommended cost. We never log or transmit plaintext passwords.

Sensitive actions (password change, account deletion) can require re-authentication or a one-time email code. Suspicious activity triggers rate limits and may trigger account review.

All public traffic is HTTPS only. Marketing site and web app: TLS terminated by Vercel and Cloudflare’s edge. API and Auth: TLS terminated by our Caddy reverse proxy using automated Let’s Encrypt certificates; Cloudflare proxies in front (Full Strict mode).

Strict HSTS is enabled with preload-style max-age, and X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers are sent on responses we serve.

Data at rest sits on encrypted Hetzner volumes in Germany. Database access requires authenticated credentials scoped to least privilege.

User-uploaded files are stored in a private Supabase Storage bucket; signed URLs are short-lived and scoped to the requesting user’s workspace.

The production server (Hetzner, Falkenstein) runs Ubuntu LTS with UFW configured to deny all incoming traffic by default; only ports 22 (SSH), 80, and 443 are publicly reachable. SSH is key-only.

Internal services (PostgreSQL, embeddings, DECIMER, Supabase) bind to 127.0.0.1 inside their containers and are reachable to other services only through a private Docker bridge network; they are not exposed to the public internet.

The reverse proxy (Caddy 2) routes api.cheemly.com to the NestJS API and auth.cheemly.com to the Supabase Kong gateway. Cloudflare sits in front for DDoS mitigation and edge filtering.

Container images are pulled from GitHub Container Registry; deployment is via a signed GitHub Actions workflow that pushes images and triggers a controlled `docker compose up -d` on the server.

Workspace separation is enforced at the application layer: every API request requires a valid Supabase JWT, the user identifier is extracted server-side, and database queries filter by that identifier so users can access only their own threads, files, embeddings, references, study sessions, and reports.

CORS allow-list is restricted to https://cheemly.com (production) and the configured marketing origin.

Inputs are validated with class-validator (NestJS DTOs) and Pydantic (FastAPI), preventing many classes of injection.

Secrets live outside source control in environment files restricted to root on the production server, with file mode 600. The GitHub Actions deploy key is scoped to the production VM and rotatable.

Every chemistry answer is run through a deterministic Python check before it reaches the user: SMILES are parsed with RDKit, atom counts are balanced for reactions, IUPAC names are round-tripped through OPSIN, and citations are resolved against open scholarly APIs.

If the gate fails, the answer is re-prompted or flagged as low-confidence; we do not silently ship a hallucinated structure.

ASCII-art structures are banned by prompt rule and detected by the critic; the model is forced to re-generate a real RDKit-rendered structure.

All payment details (card number, CVC, banking credentials) are handled by Stripe, a PCI-DSS Level 1 certified processor. Cheemly stores only subscription status, plan, invoice metadata, and the Stripe customer/subscription identifiers.

Webhook events from Stripe are verified with the webhook signing secret before they are processed. Billing reconciliation is logged for audit.

Operational logs cover errors, latency, failed jobs, authentication events, and quota accounting. Personal data is minimised in logs; full prompt bodies and file contents are not logged routinely.

Authentication events store the IP address, user agent, and a parsed device fingerprint to help users review “where I am signed in”.

We keep an internal activity log for security-relevant events (sign-in, sign-out, password change, file upload, thread creation, plan change). Users can request a copy of their own activity log via privacy@cheemly.com.

PostgreSQL is backed up on a daily rotating schedule. Backups are encrypted and kept in a separate Hetzner volume.

Recovery time objective (RTO) target: 4 hours for full database restore. Recovery point objective (RPO) target: 24 hours.

We perform restore drills periodically and run a separate staging environment for non-destructive testing.

Each agent is given a guardrail prompt: Moll never reveals the underlying model name or provider, refuses out-of-domain requests, and declines workflows that violate the acceptable-use policy.

Deep-research mode requires explicit user confirmation before execution; planning, retrieval, and synthesis happen in phases the user can observe and abort.

Quota is enforced server-side; clients cannot bypass the meter.

We follow a documented incident response process: detect, contain, eradicate, recover, notify, and conduct a post-incident review.

Where a personal data breach is likely to result in a risk to user rights, we notify the competent supervisory authority within 72 hours (GDPR Art. 33) and, where the risk is high, notify affected users without undue delay (GDPR Art. 34). KVKK Art. 12(5) is treated to the same 72-hour target.

Notices include what happened, the data involved, the actions taken, and recommended user steps.

Security researchers are welcome. Please email security@cheemly.com with reproduction steps, affected URLs, impact assessment, and contact information. A machine-readable summary is also published at /.well-known/security.txt.

Please do not access, modify, delete, or exfiltrate other users’ data; do not run destructive tests, spam, phishing, social engineering, or denial-of-service attacks. We will acknowledge valid reports within 5 business days and aim to remediate critical issues within 30 days. We do not currently run a paid bounty programme; we will credit researchers in release notes on request.

Good-faith research conducted under this policy will not be the subject of legal action by us.

Cheemly is designed to align with GDPR, UK GDPR, Türkiye KVKK, Swiss FADP, and CCPA/CPRA obligations relevant to a small AI-product operator.

We do not currently hold SOC 2, ISO 27001, or HIPAA certifications. Enterprise customers requiring formal third-party attestations can discuss their needs with sales@cheemly.com.

If you require a Data Processing Agreement, a sub-processor list export, a security questionnaire response, or a transfer impact assessment, please contact legal@cheemly.com.