Security

All data stored in JARVIS is encrypted at rest using AES-256, enforced by Neon Postgres. This includes your idea content, snippets, contacts, and all associated metadata.

All communication between your browser and JARVIS servers is encrypted using TLS 1.2+ via Vercel's global edge network. HTTP connections are automatically upgraded to HTTPS. A Strict-Transport-Security header with a 1-year max-age is set on all responses.

• Authentication is handled by Neon Auth (Stack Auth), a production-grade auth provider
• Session tokens are stored in HttpOnly, Secure, SameSite=Strict cookies, preventing XSS-based token theft
• Sessions expire after 7 days of inactivity
• Passwords are hashed server-side — JARVIS never stores plaintext passwords
• Sign-in errors return a generic message to prevent user enumeration

Every database query in JARVIS is scoped to the authenticated user's ID via PostgreSQL Row Level Security (RLS). This means it is architecturally impossible for one user's data to appear in another user's queries — even if there is a bug in the application logic.

RLS policies are applied to all 8 data tables: ideas, snippets, module_statuses, files, activity_log, bookmarks, contacts, and feedbacks.

Your idea content is never shared with third parties, sold, or used to train AI models. The only external services JARVIS uses are:

• Neon — database hosting (encrypted, SOC 2)
• Vercel — application hosting (SOC 2 Type 2, ISO 27001)
• Vercel Analytics — cookieless, privacy-safe page views only

Found a security vulnerability? Please report it responsibly to security@jarvis.app. We take all reports seriously and aim to respond within 24 hours. Please do not publicly disclose vulnerabilities before we have had a chance to address them.