Security
At Hardcore AAA, security isn't an afterthought — it's foundational. Every layer of our platform is designed to protect your data, your leads, and your business.
Data Protection
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
Database storage is powered by Supabase PostgreSQL with row-level security (RLS) policies on every table, ensuring users can only access their own data.
Sensitive fields including API keys and credentials are encrypted before storage and never exposed in API responses.
Semantic memory powered by pgvector uses isolated vector spaces per tenant, preventing cross-contamination of agent memory.
Infrastructure
Our platform runs on enterprise-grade cloud infrastructure with automatic scaling, redundancy, and 99.9% uptime SLA.
All services communicate over private networks with no public-facing database endpoints.
Automated backups run every 24 hours with point-in-time recovery capability.
Environment secrets are managed through secure vault systems — never committed to code or stored in plaintext.
Authentication & Access Control
Authentication is handled by Supabase Auth supporting email/password and Google OAuth providers.
Sessions are managed via secure httpOnly cookies with JWT tokens that automatically refresh.
Role-based access control (RBAC) with three tiers: user, admin, and superadmin — each with granular permissions.
API endpoints support dual authentication: JWT Bearer tokens for user sessions and API Key headers for programmatic access.
All admin operations require elevated privileges and are audit-logged.
Compliance
We follow security best practices aligned with OWASP Top 10 guidelines.
Input validation and sanitization on all API endpoints to prevent injection attacks.
CORS policies restrict API access to authorized origins only.
Regular dependency audits and automated vulnerability scanning in our CI/CD pipeline.
Responsible Disclosure
If you discover a security vulnerability, we appreciate your help in disclosing it responsibly.
Please email security@hardcoreaaa.com with a description of the issue.
Do not publicly disclose the vulnerability until we've had a chance to address it.
We aim to acknowledge reports within 48 hours and provide a fix timeline within 5 business days.
We do not pursue legal action against researchers who follow responsible disclosure practices.