Encryption in transit and at rest
All traffic between your browser and Intenio runs over TLS 1.3. Data at rest — proposals, sections, analytics, client activity — is encrypted inside Supabase's managed PostgreSQL infrastructure hosted on AWS.
Security
Built secure from the ground up.
Proposals, client data, signatures, and payments touch sensitive business information. Here is exactly how Intenio protects them.
Magic Link token security
Each proposal gets a cryptographically random UUID token. Links expire after 30 days by default. Tokens are single-use per proposal — a new token is minted on every re-send. Optional password protection adds a PBKDF2-derived layer on top (100 k iterations).
ESIGN-compliant audit trail
Every signature records the signer name, IP address, user-agent string, exact timestamp, and a SHA-256 hash of the signed document content. Records are written to an immutable audit table and a tamper-proof PDF certificate is stored in Supabase Storage.
Payment security via Stripe
Intenio never handles or stores card data. All payment collection is delegated to Stripe, a PCI DSS Level 1 certified processor. Connect payouts to your bank use Stripe Connect under Stripe's KYC and fraud controls.
Infrastructure and access control
The app runs on Vercel's edge network. Row-Level Security (RLS) policies in Supabase enforce per-user data isolation at the database layer — not just the API layer — so one account cannot read another's proposals even with a valid session token.
Rate limiting and abuse protection
Client-facing endpoints (sign, auth, analytics) are rate-limited per IP using an in-memory sliding window. The client auth route limits to 5 attempts per token per 60 seconds. Stripe webhook payloads are verified via HMAC signature before processing.
Third-party services
Intenio is built on a small set of well-audited infrastructure providers. Each handles a specific part of the security surface.
SupabaseDatabase, auth, and file storageSOC 2 Type II in progress. Postgres RLS enforced. All storage buckets are private by default.
VercelEdge compute and deploymentTLS termination, DDoS mitigation, and WAF at the edge. Zero-downtime deployments with rollback.
StripePayments and Connect payoutsPCI DSS Level 1. Intenio never sees or stores card numbers.
ResendTransactional emailMagic link and activity notification emails. Credentials scoped to sending only.
Anthropic / Google GeminiAI proposal drafting and coachingContent sent for generation is not stored or used to train models under the API terms. Prompts are scoped to your proposal data only.
Responsible disclosure
If you discover a security vulnerability in Intenio, please email security@intenio.io before disclosing publicly. We aim to respond within 48 hours and will credit responsible reporters.
Questions about security?
Reach out and we will respond within one business day.
Last reviewed: June 2026