Security

Last updated: February 27, 2026

Security-First Architecture

UserContext is built with security at its core. As an observability tool that handles interaction data from your users' browsers, we treat every piece of data as potentially sensitive and apply defense-in-depth principles throughout our stack.

Data Encryption

In Transit

All data transmitted between the widget, API, and dashboard is encrypted using TLS 1.3. We enforce HTTPS across all endpoints with no fallback to unencrypted connections.

At Rest

All data stored in our PostgreSQL databases is encrypted at rest using AES-256. Database backups are also encrypted and stored in geographically redundant locations.

PII Protection

Our multi-layered approach ensures personal data never reaches your issue reports:

  • Client-side scrubbing — Configure CSS selectors for sensitive fields (e.g., .password-field, #credit-card-input). Values are redacted before data leaves the browser.
  • Server-side redaction — Automatic pattern matching detects and masks emails, phone numbers, SSNs, credit card numbers, and other common PII patterns in all log data.
  • Ghost Mode — Total redaction where all detected PII is replaced with [REDACTED] placeholders.
  • Mirror Mode — AI-generated synthetic data replaces PII with functional equivalents that preserve debugging context without exposing real user information.

Access Controls

  • Row-Level Security (RLS) — Every database query is scoped to the authenticated user's projects. PostgreSQL RLS policies enforce this at the database level, preventing cross-tenant data access even in the case of application bugs.
  • API Key Scoping — Each project has a unique API key. The widget SDK authenticates with this key, and all captured data is automatically associated with the correct project.
  • Role-Based Access — Service-level operations use separate credentials from user-level operations. The principle of least privilege is applied throughout.

Infrastructure

UserContext runs on enterprise-grade infrastructure:

  • Database — Supabase-hosted PostgreSQL on AWS, with automated backups, point-in-time recovery, and read replicas
  • Application — Deployed on Vercel's edge network with automatic DDoS protection and global CDN
  • Monitoring — 24/7 infrastructure monitoring with automated alerting for anomalies

Compliance

UserContext is designed to help you meet your compliance requirements:

GDPR

Full support for data subject rights, data portability, and right to deletion. Data processing agreements available on request.

CCPA

Compliant with California Consumer Privacy Act requirements including opt-out and data deletion requests.

HIPAA-Ready

PII redaction and synthetic data modes enable use in healthcare contexts. BAA available for enterprise plans.

SOC 2

Our infrastructure provider (Supabase/AWS) maintains SOC 2 Type II certification. UserContext SOC 2 audit in progress.

Incident Response

In the event of a security incident, we follow a structured response process:

  1. Detection — Automated monitoring and alerting systems identify potential incidents
  2. Containment — Immediate isolation of affected systems to prevent further impact
  3. Investigation — Thorough analysis to determine scope and root cause
  4. Notification — Affected customers are notified within 72 hours as required by GDPR and other applicable regulations
  5. Remediation — Implementation of fixes and preventive measures
  6. Post-mortem — Documented analysis shared with affected customers

Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities. If you discover a security issue, please report it to:

security@usercontext.com

Please include a detailed description of the vulnerability, steps to reproduce, and any potential impact. We commit to acknowledging reports within 48 hours and providing regular updates on remediation progress. We will not take legal action against researchers who follow responsible disclosure practices.

Contact Our Security Team

For security questions, vulnerability reports, or compliance inquiries:

UserContext, Inc. — Security Team
Email: security@usercontext.com