Security | GuidelightIQ

Security Ratings & Certifications

🔒SSL/TLS

A+

Qualys SSL Labs Rating

🛡️Security Headers

SecurityHeaders.com Rating

Encryption

Client-Side Encryption

All sensitive vault data is encrypted on your device using industry-standard algorithms before being transmitted to our servers. Your encryption keys are derived from your master password and never leave your device.

XSalsa20-Poly1305: Authenticated encryption for vault contents
Argon2: Memory-hard key derivation to protect against brute-force attacks
TLS 1.3: All data in transit is protected with the latest transport security

What We Can't See

Due to our zero-knowledge architecture, GuidelightIQ staff cannot access:

Your vault item contents (account numbers, passwords, notes, etc.)
Your master password or encryption keys
Decrypted contents of shared vault items
Uploaded document contents

Infrastructure Security

Hosting: Deployed on Vercel's secure, globally-distributed edge network
Database: Supabase with Row Level Security (RLS) policies enforcing data isolation
Authentication: Secure session management with automatic timeouts
DDoS Protection: Automatic mitigation through our infrastructure providers
Uptime Monitoring: 24/7 monitoring with automated alerts

Security Headers

We implement comprehensive HTTP security headers to protect against common web attacks:

Header	Protection
Strict-Transport-Security	Forces HTTPS connections
Content-Security-Policy	Prevents XSS and injection attacks
X-Frame-Options	Prevents clickjacking attacks
X-Content-Type-Options	Prevents MIME-type sniffing
Referrer-Policy	Controls referrer information leakage
Permissions-Policy	Restricts browser feature access

Continuous Security Testing

We employ multiple layers of automated security testing to catch vulnerabilities before they reach production:

Dependency Scanning: Automated alerts for vulnerable packages via Dependabot
Static Analysis (SAST): Semgrep scans code for security issues on every commit
Dynamic Analysis (DAST): OWASP ZAP scans the live application for vulnerabilities
Secret Scanning: GitHub Secret Scanning prevents accidental credential exposure
npm Audit: Automated security audits of production dependencies in CI/CD

Email Security

All emails from GuidelightIQ are authenticated to prevent spoofing and phishing:

SPF (Sender Policy Framework): Verifies authorized sending servers
DKIM (DomainKeys Identified Mail): Cryptographically signs all outgoing emails
DMARC: Instructs email providers on handling authentication failures

Account Security Features

Multi-Factor Authentication (MFA): Optional TOTP-based two-factor authentication
Session Management: View and revoke active sessions across devices
Automatic Timeouts: Sessions expire after periods of inactivity
reCAPTCHA Protection: Prevents automated attacks on authentication endpoints
Audit Logging: Track access and changes to your account and vaults

Data Protection

Data Isolation: Row Level Security ensures users can only access their own data
Encrypted Backups: Regular encrypted backups for disaster recovery
Data Residency: Your data is stored in secure, SOC 2 compliant data centers
Secure Deletion: When you delete data, it's permanently removed from our systems

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Report Security Issues

Email: security@guidelightiq.com

Please include detailed steps to reproduce the issue. We aim to acknowledge reports within 48 hours and will work with you to understand and address the issue promptly.

Security at a Glance

✓Zero-knowledge encryption — Your data is encrypted before it reaches us
✓A+ SSL rating — Industry-leading transport security
✓Continuous security testing — Automated scans on every deployment
✓MFA support — Additional protection for your account
✓SOC 2 compliant infrastructure — Enterprise-grade hosting

Security at GuidelightIQ

Zero-Knowledge Architecture