What this covers
This page describes the security practices for all SageRock tools, including our email marketing platform, our school administration tools, and our AI concierge system. Each tool is backed by a dedicated, managed database — so the protections described here apply across the board.
If you are a client, a school administrator, or an IT professional evaluating SageRock, this page is written for you.
What data we store
Depending on which SageRock tools your organization uses, we may store:
- Contact information — names, email addresses, organizational roles
- Email engagement history — opens, clicks, unsubscribes
- Enrollment and attendance records (for school administration tools)
- AI-assisted communication drafts and follow-up logs
- Integration credentials for third-party services you connect (such as Salesforce)
We do not store payment information, passwords, or government-issued identification numbers. We collect only what is necessary to deliver the service.
Encryption
Data in transit
All communication between your browser, our tools, and our servers is encrypted using TLS. This is the same standard used by banks and healthcare providers — data traveling over the network cannot be read by anyone intercepting it.
Data at rest
Your data lives in a Supabase-hosted PostgreSQL database running on Amazon Web Services infrastructure. Supabase encrypts the underlying storage volumes at rest by default.
Third-party credentials
When you connect a third-party service to SageRock — such as your SendGrid email account or Salesforce CRM — we store the API credentials required to make that connection work. These credentials are encrypted before they are written to the database using AES-256-GCM, a military-grade authenticated encryption standard.
Third-party API keys and OAuth secrets are encrypted at the application layer using AES-256-GCM with a randomly generated IV per encryption operation. The encryption key is stored exclusively in Railway environment secrets and is never written to the database. Decryption occurs in memory at runtime on the API server. The ciphertext format is base64(iv):base64(ciphertext):base64(authTag).
Access control
Client isolation
SageRock serves multiple organizations from the same platform. Each organization’s data is completely separated from every other organization’s data. A user logged in to one organization’s account cannot see, access, or affect another organization’s records — this is enforced at the database level, not just the application level.
Data isolation is enforced using PostgreSQL Row Level Security (RLS) policies. Every table that contains client data has RLS enabled with policies scoped to client_id. A three-tier admin role system — super_admin, admin, and client_admin — controls data visibility. client_admin users can only read and write records belonging to their assigned client. RLS is enforced at the database layer and cannot be bypassed by application code using the anon or authenticated keys.
Authentication
SageRock tools use Supabase Auth for user authentication. Access tokens are short-lived and automatically refreshed. Admin accounts are provisioned manually — there is no self-service signup for administrative access.
The frontend uses PKCE OAuth 2.0 flow. The backend validates Bearer tokens on every authenticated request via supabase.auth.getUser(). The service role key (which bypasses RLS) is stored exclusively in server environment variables and is never exposed to the browser.
Abuse protection
Public-facing endpoints — including webhook receivers and contact import endpoints — have rate limiting applied per IP address. This prevents automated abuse and protects system availability.
Inbound email endpoints require a pre-shared secret key. Requests without the correct key are rejected before any processing occurs.
Rate limiting is implemented using express-rate-limit. Webhook endpoints are limited to 200 requests per minute per IP. Contact upsert endpoints are limited to 60 requests per minute per IP. Standard RateLimit-* response headers are returned on all limited endpoints.
The AI concierge inbound email webhook requires a ?key= URL parameter matching a secret stored in Railway environment variables. Requests without the matching key receive a 401 response and are not logged or processed.
Infrastructure and subprocessors
SageRock relies on best-in-class infrastructure providers. Each of them maintains their own security certifications and practices.
Supabase
Hosts our PostgreSQL database on AWS. SOC 2 Type II certified. Automatic daily backups with point-in-time recovery. Data encrypted at rest and in transit.
Railway
Hosts our backend API server. Environment secrets are encrypted and never exposed in logs or source code. TLS termination on all incoming connections.
SendGrid
Handles outbound email delivery for our email marketing platform. SOC 2 Type II certified. Supports DKIM, SPF, and DMARC for email authentication.
Anthropic
Powers AI-assisted features. Anthropic’s API does not train on customer data submitted through the API. Data is processed transiently and not retained.
Backups and availability
Your data is automatically backed up daily by Supabase on AWS infrastructure. In the event of data loss or corruption, we can restore to a prior point in time. Backups are stored redundantly and are not accessible to SageRock staff in plaintext.
Our API server and frontend are deployed on Railway, which provides automatic restarts and zero-downtime deployments for updates.
Reporting a security concern
Found something?
If you believe you have found a security vulnerability or have concerns about how your data is handled, please contact us directly. We respond to all security reports promptly.