Security at tonAIlity

Your data security and privacy are our top priorities

At tonAIlity, we understand that you're entrusting us with your unique voice, brand information, and creative content. We take that responsibility seriously and implement industry-leading security measures to protect your data.

Data Protection

Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 with strong cipher suites
  • At Rest: Your data is encrypted at rest using AES-256 encryption in our database
  • Passwords: All passwords are hashed using bcrypt with per-user salts (never stored in plain text)
  • API Keys: Third-party integration credentials are encrypted and stored in secure Supabase secrets

Data Isolation

Every user's data is strictly isolated using Row Level Security (RLS) policies in our database. This means:

  • You can only access your own writing samples, knowledge base, and generated content
  • Database queries automatically filter results to your account
  • Even our internal team cannot access your data without explicit permission
  • Your AI voice model is trained exclusively on your data and never shared

Infrastructure Security

Hosting & Cloud Providers

tonAIlity is built on enterprise-grade infrastructure:

  • Supabase: SOC 2 Type II compliant database and authentication infrastructure
  • Vercel: Enterprise-grade hosting with automatic SSL, DDoS protection, and global CDN
  • Google Cloud: Gemini AI models run on Google's secure, GDPR-compliant infrastructure
  • BannerBear & Ayrshare: Trusted third-party services with their own security certifications

Access Control

  • Authentication: Secure email/password authentication with optional social login
  • Session Management: Short-lived access tokens with automatic expiration
  • Role-Based Access: Granular permissions for agencies managing multiple clients
  • Admin Access: Internal admin access is logged and monitored

Application Security

Secure Development Practices

  • Input Validation: All user input is validated and sanitized on both client and server
  • SQL Injection Protection: Parameterized queries prevent SQL injection attacks
  • XSS Prevention: Content is escaped and sanitized to prevent cross-site scripting
  • CSRF Protection: Built-in CSRF token validation for all state-changing operations
  • Rate Limiting: API endpoints are rate-limited to prevent abuse

Dependency Management

We regularly scan our dependencies for known vulnerabilities and apply security patches promptly. Our codebase uses automated security scanning to detect potential issues before deployment.

Privacy & Compliance

Your Data is YOURS

  • No Training on Your Data: Your writing samples are NEVER used to train public AI models or shared with other users
  • No Selling: We do not sell, rent, or share your personal data with third parties for marketing purposes
  • Data Portability: You can export your data at any time from your account settings
  • Right to Deletion: You can request complete deletion of your account and data at any time

Regulatory Compliance

tonAIlity is designed with privacy regulations in mind:

  • GDPR (EU): We comply with GDPR requirements for data protection and user rights
  • CCPA (California): California residents have additional privacy rights under CCPA
  • Privacy Policy: See our full Privacy Policy for details

Third-Party Integrations

tonAIlity integrates with trusted third-party services to provide our features:

  • Google Gemini: AI content generation (data processed according to Google's privacy policies)
  • BannerBear: Branded image generation (Pro plan only)
  • Ayrshare: Multi-platform social media publishing
  • Stripe: Secure payment processing (we never store card details)

All third-party services are carefully vetted and contractually obligated to protect your data. See our Privacy Policy for the complete list of service providers.

Incident Response

While we implement extensive security measures, no system is 100% secure. If a security incident occurs:

  • We will investigate and contain the incident immediately
  • Affected users will be notified within 72 hours
  • We will provide clear information about what data was affected
  • We will implement additional safeguards to prevent recurrence
  • We will cooperate with relevant authorities as required by law

Responsible Disclosure

If you discover a security vulnerability in tonAIlity, we encourage responsible disclosure:

Report Security Issues

security@tonailty.com

Please do not publicly disclose security vulnerabilities until we've had a chance to address them. We commit to:

  • Acknowledge receipt within 24 hours
  • Provide an initial assessment within 72 hours
  • Keep you informed throughout the resolution process
  • Credit you in our security acknowledgments (if desired)

Account Security Best Practices

You play a critical role in keeping your account secure:

  • Use a strong, unique password (minimum 8 characters with mixed case, numbers, and symbols)
  • Never share your password or API keys with anyone
  • Log out from shared or public computers
  • Enable email notifications for account changes
  • Review connected social media accounts regularly
  • Contact support immediately if you suspect unauthorized access

Questions about our security practices? Contact us

← Back to Home