LAGIC
Lead Audience Growth Intelligence Computing

Security & Trust

How Lagic protects your account, your data, and your payment details.

We treat customer data the way our own customers treat their leads — like it's the most important thing in the building. This page documents what we do today, what we're working on, and how to reach our security team.

Data protection

  • ·Encryption in transit. All traffic to lagichq.com is served over HTTPS with HSTS enforced (max-age 1 year, includeSubDomains).
  • ·Encryption at rest. Customer data is stored in Supabase (AWS-backed Postgres) with disk-level AES-256 encryption.
  • ·Row-level access control. Every database table is protected by Supabase RLS policies — users can only read or modify rows tied to their own user ID, enforced at the database layer, not the application layer.
  • ·Server-side encryption for sensitive credentials. User-provided API keys (Airtable, Notion, custom webhooks) are encrypted with a dedicated key before being written to the database.

Payment security

  • ·PCI compliance by delegation. All card data is handled by Stripe. Lagic never sees, stores, or transmits raw card numbers, CVVs, or expiration dates.
  • ·Stripe Customer Portal. Subscription changes, cancellations, and invoice access are handled through Stripe's hosted billing portal — outside our application boundary.
  • ·Webhook signature verification. Every Stripe webhook event is cryptographically verified against the signing secret before being processed.

Authentication

  • ·Cookie-based sessions. Sessions are stored in HttpOnly, Secure, SameSite=Lax cookies via Supabase Auth. Cookies are signed and short-lived.
  • ·Google OAuth. Sign-in via Google uses standard OAuth 2.0 with PKCE. We receive only your name and email — never your Google password or other account data.
  • ·Account deletion is genuine. Requesting account deletion removes your profile, jobs, schedules, and integration tokens — not soft-deleted, actually deleted.
  • ·Account export. You can export everything we hold about you as a JSON archive at any time, per GDPR Article 20.

Infrastructure providers

We delegate the parts of the stack other companies do better than we ever could:

  • ·Vercel — application hosting, edge network, DDoS mitigation
  • ·Supabase — Postgres database with row-level security, authentication
  • ·Stripe — payments, subscription management, PCI compliance
  • ·Resend — transactional email with DKIM, SPF, DMARC enforced
  • ·Sentry — error monitoring (with PII redaction and consent-gated session replay)

The full sub-processor list is in our privacy policy; additional named providers are available on request from team@lagichq.com.

Application security

  • ·Content Security Policy. A strict CSP is set on every response, restricting script and connection sources to a tight allowlist.
  • ·Other headers. X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy disabling camera, microphone, and geolocation.
  • ·Rate limiting. Authentication, signup, and high-cost endpoints are rate-limited per IP and per user.
  • ·Input validation. Every API endpoint validates payloads against a Zod schema before touching the database.
  • ·Server-only secrets. Apify tokens, Stripe secret keys, and the internal bearer secret are never exposed to the client bundle.
  • ·Dependency scanning. Dependencies are reviewed before upgrade and the lockfile is committed to ensure deterministic builds.

Compliance

  • ·GDPR. EU users can request data export and deletion via the dashboard or by emailing team@lagichq.com. Sub-processor disclosure is published in the privacy policy.
  • ·CCPA. California residents have the same rights to access, delete, and opt out of any sale of personal information. Lagic does not sell personal information.
  • ·CAN-SPAM. Lagic itself does not send marketing emails to unconsented recipients. Customers using Lagic-delivered lead data are responsible for their own compliance.
  • ·SOC 2. Lagic is not currently SOC 2 audited. We are aligning controls toward Type I readiness in 2026.

Reporting a vulnerability

Send any security findings to security@lagichq.com. We respond within 24 hours and treat all reports as confidential until a fix ships.

The machine-readable contact is published at /.well-known/security.txt per RFC 9116.

Please don't:run automated scanners against production beyond what's needed to demonstrate an issue, attempt to access other users' data, or perform denial-of-service tests.

We will: credit you in the acknowledgments section below (with your permission) and treat your report seriously.

Acknowledgments

The list of researchers who've helped us improve Lagic's security will be published here. We'll never list anyone without their explicit permission.

— No public acknowledgments yet.