Security

Security & Trust

This page is maintained by the Adriana team to answer common security and privacy questions about the product. It reflects controls that are currently in place — it is not an independent certification.

TLS 1.3 in transit · AES-256 at rest

All traffic to Adriana rides over TLS 1.3. Data at rest, including brand assets in object storage and Postgres rows, is encrypted with AES-256 by the hosting provider.

Row-Level Security per workspace

Every table with tenant data enforces Postgres RLS scoped to auth.uid(). Server functions run with the caller's bearer token, so RLS applies exactly as it does in the browser client.

Bring your own OpenAI, Anthropic, or Gemini keys.

Bring your own OpenAI, Anthropic, or Gemini keys in Settings. Keys are stored server-side and never returned to the browser. Or use the managed Lovable AI gateway with no key setup.

Role-based access

Roles live in a dedicated user_roles table (never on profiles). Admin promotions go through a security-definer RPC and are audited.

You own your data. Export or delete anytime.

Your briefs, brand brain, creatives, and campaigns are yours. Export from Settings any time; delete your workspace and the underlying rows are removed.

SOC 2 Type II — in progress

Adriana is preparing SOC 2 Type II attestation with a third-party auditor. Data is encrypted in transit and at rest, RLS-scoped per workspace, and never used to train shared models.

Shared responsibility

Adriana provides the platform controls above. Workspace admins are responsible for choosing who they invite, granting connector access, and configuring which ad accounts Adriana can publish to. Customers are responsible for the accuracy of the creative and claims they publish.

Reporting a vulnerability

Please email security@adriana.catelae.com with reproduction steps. We aim to acknowledge within one business day.