verba← Back

Trust & Safety

Security

Last updated: February 2026

Data Encryption

All data stored in Verbal is encrypted at rest using AES-256-GCM — the same standard used by financial institutions and government agencies. Data in transit is protected by TLS 1.3.

Prompt content is protected by per-user envelope encryption via Supabase Vault. Each user's data is encrypted with a unique key — even a database breach would not expose readable prompt content. Prompts are automatically redacted for secrets and PII before storage.

Infrastructure

Verbal runs on two managed, enterprise-grade platforms:

  • Vercel — edge network for the application layer, with automatic DDoS mitigation and global CDN
  • Supabase — managed PostgreSQL with automatic backups, point-in-time recovery, and physical replication

All infrastructure is US-based. We do not use overseas data centers.

Access Control

Access to your data is enforced at the database level using PostgreSQL Row-Level Security (RLS). This means that even if application code had a bug, the database itself would reject unauthorized reads.

  • RLS policies — every query is scoped to the authenticated user's organization
  • API key authentication — all programmatic access requires a scoped API key
  • Role-based permissions — team plans include fine-grained member roles

Data Handling

By default, Verbal captures prompt content along with usage metadata (model, provider, token counts, cost estimates, timestamps). Prompts are automatically redacted — secrets, API keys, PII, and other sensitive patterns are stripped before transmission. All stored prompts are encrypted at rest with per-user keys.

To track only usage metadata without prompt content, set VERBAL_CAPTURE_MODE=usage in your MCP configuration. You can delete all stored data at any time from Settings.

Compliance

Verbal is a small, fast-moving company. We are working toward SOC 2 Type II certification — this is a goal, not a current status. If you have specific compliance requirements, reach out and we will tell you honestly what we can and cannot support.

Responsible Disclosure

If you discover a security vulnerability in Verbal, please report it to security@getverbal.ai. We operate a 90-day coordinated disclosure policy.

  • We will acknowledge receipt within 48 hours
  • We will provide a fix timeline within 7 days
  • We will credit you publicly if you wish