Built around least privilege, encrypted tokens, and user approval.
Vayiq handles platform connections and content strategy data carefully because creators and local businesses trust the product with their accounts, drafts, and brand memory.
Last updated: June 28, 2026
Authentication and workspace isolation
- Studio routes require a signed-in Supabase session before private workspace data is rendered.
- Database access is scoped by organization membership through Row Level Security policies.
- Billing management is restricted to workspace owners and admins.
OAuth and token handling
- OAuth state is signed and expires quickly.
- PKCE is used where supported by the provider.
- Access and refresh tokens are encrypted server-side before storage.
- Token values are not selected into client-facing studio snapshot data and are never stored in localStorage.
AI and cost controls
- Server-side model calls require authentication and organization membership.
- Durable Supabase reservations protect model-spend limits across concurrent requests.
- Multi-call content-pack generation uses weighted reservations so one request cannot hide five model calls.
Release security
Before production release, Vayiq runs type checks, linting, targeted tests, production builds, route checks, dependency audit review, and Codex Security scans for sensitive changes.
Responsible disclosure
If you believe you found a security issue, email security@vayiq.com with a clear description, affected URL, steps to reproduce, and impact. Please do not access or modify other users' data.
Need help or deletion?
Email privacy@vayiq.com. For API and platform review questions, use platforms@vayiq.com.