Security

1. Authentication & Access

Google OAuth 2.0: Replora never asks for your Google password. We use the official Google OAuth 2.0 flow to obtain limited, revocable access tokens. You authorise exactly what we can access — and you can revoke access at any time from your Google Account settings.

JWT-based sessions: Replora sessions use short-lived JSON Web Tokens (7-day access tokens, 30-day refresh tokens). Tokens are stored client-side and never transmitted in URLs.

Password hashing: All Replora account passwords are hashed using bcrypt with a work factor that meets current OWASP recommendations. We do not store plain-text passwords.

2. Data Encryption

• In transit: All data between your browser, our servers, and Google APIs is encrypted using TLS 1.3. We enforce HTTPS across all endpoints and redirect HTTP to HTTPS automatically.
• At rest: Google OAuth tokens stored in our database are encrypted using AES-256 before being written to disk. Your raw OAuth credentials are never stored unencrypted.
• Database: Our database (Supabase) uses row-level security (RLS) to ensure each account can only query its own data. There is no shared data layer between customers.

3. Google API Compliance

Replora AI's use of Google API data adheres strictly to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request the minimum Google API scopes required to read reviews and post replies.
• We do not use Google API data for advertising, profiling, or selling to third parties.
• We do not allow humans to read your review data except to provide or improve the service, or when required by law.
• We do not transfer Google API data to third parties except as necessary to provide the service (AI reply generation, email notifications).

4. AI Processing Security

When generating AI replies, Replora sends only the review text and your configured reply tone to Google Vertex AI (Gemini). We explicitly do not send:

• Reviewer names or profile photos
• Your Google OAuth tokens
• Your business's billing or payment information
• Any data from other customers

AI-generated replies are suggested — never posted automatically without your explicit authorisation (except when you enable auto-reply for specific star ratings).

5. Infrastructure Security

• Cloud hosting: Replora runs on infrastructure provided by Vercel (frontend) and Supabase (database/backend), both of which maintain SOC 2 Type II compliance.
• DDoS protection: Our hosting providers include DDoS mitigation at the network level.
• Dependency scanning: We use automated dependency scanning to identify and patch known vulnerabilities in our software dependencies.
• Environment isolation: Production, staging, and development environments are fully isolated with separate credentials and access controls.

6. Access Controls

Access to production systems is restricted to authorised Replora team members only, requires multi-factor authentication, and is logged. We follow the principle of least privilege — team members only have access to the systems they need for their role.

7. Incident Response

In the event of a security incident affecting your data, we will notify you by email within 72 hours of becoming aware of the incident, in accordance with applicable data protection regulations. We will provide details of what data was affected and steps we are taking to address the issue.

8. Responsible Disclosure

If you discover a security vulnerability in Replora AI, we ask that you report it responsibly to security@reploraai.com before disclosing it publicly. We will investigate and respond within 5 business days.

9. Questions

For security-related questions, contact security@reploraai.com.