Procedurio

Security & Trust

Last updated: February 25, 2026

1. Data Protection Overview

We take your data seriously. SOPs contain sensitive operational procedures that are critical to your business. Our security architecture is designed to protect your intellectual property and operational data with the same rigor you expect from enterprise software.

This page explains how we secure your data, what controls we have in place, and what rights you have over your information.

2. Infrastructure Security

Procedurio runs on hardened, dedicated infrastructure with multiple layers of protection:

  • Dedicated VPS hosting — Ubuntu 24.04 LTS with automated security updates
  • TLS/SSL encryption — All data in transit is encrypted using modern TLS protocols. Your browser connection to Procedurio is always secure.
  • SSH key-only access — Password authentication is disabled. Server access requires cryptographic keys.
  • Firewall protection — UFW firewall with minimal open ports (HTTPS, SSH only)
  • Regular security patching — Operating system and dependencies are kept current with security updates

3. Data Handling

Your SOP content is your intellectual property. Here's how we handle it:

  • Your data stays yours — SOP content is stored in your account only. We do not share it with other users or use it for marketing purposes.
  • We do NOT train AI on your content — Your SOP inputs and outputs are never used to train machine learning models. We do not feed your data back into AI training pipelines.
  • AI processing uses Anthropic's API — When you generate an SOP, your inputs are sent to Anthropic's Claude API. Anthropic does NOT train on API data. See Anthropic's Privacy Policy and Commercial Terms.
  • Per-user isolation — Data is isolated per user via Supabase Row Level Security (RLS). You can only access your own SOPs. Database-level policies enforce this — not just application logic.
  • Encryption at rest — All database content is encrypted at rest using AES-256 encryption managed by Supabase.

4. Your Data Rights

You have complete control over your data:

  • You own your SOPs — Always. No exceptions. Procedurio is a tool you use to generate documents. The output belongs to you.
  • Export anytime — Download your SOPs in Word format (.docx) at any time. No lock-in.
  • Delete on request — Want to delete your account and all associated data? Email kory@procedurio.com. We will permanently delete your account and all SOPs within 30 days.
  • No copies after deletion — When you delete your data, it's gone. We do not retain backups of deleted user content beyond our standard backup retention window (30 days).

5. Authentication & Access

We use modern authentication practices to protect your account:

  • Email + password authentication — Managed by Supabase Auth with bcrypt password hashing
  • Email verification required — You must verify your email address before using the platform
  • Rate limiting on all auth endpoints — Brute-force attacks are blocked automatically
  • Fail-closed rate limiting — If our rate limiter encounters an error, it blocks the request (it does not allow through). This prevents bypass attacks.

6. Application Security

We follow secure development practices to prevent common vulnerabilities (OWASP Top 10):

  • Input sanitization — All user content is sanitized before rendering to prevent XSS attacks
  • Content Security Policy (CSP) — HTTP headers restrict where scripts can load from
  • XSS protection via DOMPurify — User-generated content is cleaned before display
  • No sensitive data in client-side logs — API keys, tokens, and personal information are never logged to the browser console
  • Regular security audits — We review code for vulnerabilities and update dependencies promptly
  • Secure API design — All API endpoints validate inputs using Zod schemas and enforce authentication

7. Compliance Readiness

Procedurio is designed to support regulated industries. Our platform helps you document compliance, but we also take compliance seriously ourselves:

  • Regulation coverage — Our regulation database includes ISO 9001, FDA 21 CFR Part 11, FDA 21 CFR Part 210/211 (cGMP), OSHA, HACCP, ISO 13485, AS9100, IATF 16949, and more. We provide verified clause references — not AI hallucinations.
  • SOC 2 principles — While Procedurio is not yet SOC 2 certified, we follow SOC 2 Type II principles in our security practices (access controls, encryption, logging, incident response).
  • HIPAA BAA available on request — If you work in healthcare and need a Business Associate Agreement (BAA), contact us at kory@procedurio.com. (BAA support is coming soon — currently available on a case-by-case basis.)
  • GDPR-friendly — We provide data export, deletion, and transparency about data processing. See our Privacy Policy for details.

8. Incident Response

If we detect a security incident that affects your data, we will notify you promptly via email. We maintain internal incident response procedures and work to resolve issues as quickly as possible.

If you discover a security vulnerability, please report it to kory@procedurio.com. We take responsible disclosure seriously and will work with you to address the issue.

9. Questions?

Security is an ongoing commitment. If you have questions about our security practices, need additional assurances for procurement, or want to discuss compliance requirements for your organization, reach out:

Email: kory@procedurio.com

We're a small team building software for serious industries. We're happy to walk you through our security architecture in detail.