Security

Last updated: April 30, 2026

1. Where your data lives

Scenair runs on Convex (managed serverless backend) in United States data centers. Your workspace, scans, prompts, and artifacts are isolated by tenant via workspace-scoped queries. No customer data is exposed across accounts. We do not maintain a separate analytics warehouse; all production data stays inside Convex.

2. Encryption

  • In transit: TLS 1.3 between your browser, our API, and every subprocessor we call.
  • At rest: Encryption is managed by Convex on their underlying infrastructure (AWS KMS-backed).
  • Secrets: API keys and tokens are stored as environment variables managed by Convex; they are never committed to source control or logged.

3. AI training and your data

We send brand-related queries (your domain, prompts, brand voice samples) to AI platforms to generate scans and draft artifacts. We use these providers under their API terms, which by default do not opt your data into model training.

Specifically: OpenAI API requests, Anthropic API requests, and Google AI Studio API requests are not used for model training under the standard API terms. We do not opt in to any data-sharing tier that would change this. If a provider changes their default, we will update this page.

4. Subprocessors

We use the following third-party services to operate Scenair. Each receives only the data needed for its function.

  • Convex: database, authentication, and serverless functions. Receives all platform data.
  • Stripe: payment processing. Receives billing details only when paid plans are enabled.
  • Resend: transactional email (auth, scan results, payment notifications). Receives recipient email + email body.
  • OpenAI, Anthropic, Google AI, Perplexity: AI model inference. Receive prompt text + brand context for scans and artifact drafting.
  • OpenRouter: model routing layer in front of Anthropic and OpenAI. Sees the same prompt text the model providers do.
  • Vercel: application hosting. Sees inbound requests and IPs.
  • Cloudflare Turnstile: bot/abuse challenge on signup, sign-in, and the public scan form. Receives the visitor IP and a one-time challenge response.
  • Sentry: server-side error reporting. Receives stack traces and request metadata; PII (auth headers, query tokens, request bodies) is redacted before send.
  • PostHog: product analytics on the marketing site. Only loads after explicit cookie consent.
  • Google Analytics 4: site usage analytics. Only loads after explicit cookie consent.

5. Authentication

Sign-in is handled by Convex Auth with two methods: Google OAuth and email + one-time-password (no stored passwords). All session tokens are HttpOnly cookies; we do not expose tokens to client-side JavaScript.

6. Access controls

Every Convex query and mutation enforces workspace-scoped tenancy guards. Members of your workspace see only your workspace's data. Internal Scenair staff access to production data is limited to the founder and a single ops account, used only for billing support and incident response.

7. Compliance status

Scenair is early-stage and does not yet hold a SOC 2 Type II attestation. We follow SOC 2-aligned practices internally (least-privilege access, audit-quality logging, encryption defaults) and plan to pursue formal certification once the business reaches the volume that warrants it. If your procurement process requires a security questionnaire today, email security@scenair.com and we'll respond within two business days.

8. Data deletion and export

You can request data export or full account deletion at any time by emailing privacy@scenair.com. Deletion completes within 30 days. We retain only the data legally required for tax and regulatory purposes after that.

9. Reporting a security issue

If you believe you've found a vulnerability, please email security@scenair.com directly. Do not file a public issue. We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days. We do not currently run a paid bug bounty but recognize legitimate disclosures publicly with permission.

10. Contact

For security questions, vulnerability reports, or procurement questionnaires:

security@scenair.com