Last updated: March 2026
Infrastructure
Speqs runs entirely on Google Cloud Platform with managed services that carry strong security track records.
- Application backend: Google Cloud Run (europe-west1, Belgium)
- Application frontend: Google Cloud Run (europe-west1, Belgium)
- Database: Supabase PostgreSQL (managed, SOC 2 Type II)
- File storage: Supabase Storage and Google Cloud Storage
- Region: Primary data processing and storage in the EU
Data security
Encryption in transit
All network communication is encrypted using TLS 1.2 or higher, enforced by our cloud infrastructure. This covers browser-to-server, server-to-database, and server-to-server traffic.
Encryption at rest
Data at rest is encrypted by our cloud infrastructure. Sensitive application secrets are additionally encrypted using Fernet symmetric encryption before storage.
Secrets management
Application secrets and API keys are stored as environment variables, never in source code. Secrets are typed to prevent accidental logging or serialization.
AI and data processing
Speqs uses AI to simulate user behavior in digital products. All AI inference runs on Google Vertex AI within the EU (europe-west1).
- Customer data is not sent to third-party AI providers outside of Google Cloud
- Customer data is not used to train AI models
- AI processing stays within the same EU region as the rest of the platform
Authentication and access control
- User authentication: JWT-based via Supabase Auth with ES256 signing and JWKS validation
- OAuth 2.0: PKCE flow for third-party sign-in (Google, Figma)
- Authorization: Role-based access control with tiered permissions
- Service-to-service: OIDC tokens for internal service communication
Application security
- Input validation: Strict schema validation on all API inputs
- Security linting: Automated static analysis integrated in our development workflow
- Error handling: Environment-aware responses – no stack traces or internal paths exposed in production
- Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Source protection: No source maps served in production
Compliance
- ISO 27001: Certification in progress
- GDPR: EU-based data processing and storage, data minimization practices, user rights supported
- DPA: A Data Processing Agreement is available on request
For details on how we handle personal data, see our privacy policy.
Subprocessors
The following third-party services are used to operate our platform. Where subprocessors operate outside the EU, appropriate safeguards are in place.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Google Cloud Platform | Hosting, AI inference, storage, task queue | EU | SOC 2, ISO 27001 |
| Supabase | Database, authentication, file storage | EU | SOC 2 Type II |
| Figma | Design file integration | US | SOC 2 Type II, ISO 27001 |
| Browserbase | Cloud browser sessions | US | SOC 2 Type II |
| ElevenLabs | Audio transcription | US/EU | SOC 2 Type II, ISO 27001 |
| Stripe | Billing | US/EU | PCI DSS, SOC 2 |
| Resend | Transactional email | US | SOC 2 |
Data retention
Simulation data is retained while your account is active. Data is deleted upon account termination and on request. For specific retention questions, contact us at security@speqs.io.
Incident response
We maintain an incident response process covering identification, containment, resolution, and post-incident review. Affected customers are notified within 72 hours of a confirmed data breach, in accordance with GDPR requirements.
Responsible disclosure
If you discover a security vulnerability, please report it to security@speqs.io. We will acknowledge your report within 3 business days and work with you to understand and address the issue.
Questions?
For security inquiries, to request our DPA, or to send us your security questionnaire, contact us at security@speqs.io.