Frenzee

Security

How Frenzee protects your work

No buzzwords. Specifics about what we encrypt, who can see what, and how to get your data out. Anything missing? Email security@frenzee.co.

  1. Auth

    Magic-link only · session-scoped cookies

    Sign-in is passwordless via Supabase Auth magic-link. No password rotation policies, no shared logins. Session cookies are HttpOnly, Secure, and SameSite=Lax, scoped to *.frenzee.co with a 7-day TTL. There are no password hashes to leak because there are no passwords.

  2. Encryption

    TLS in transit · AES-256 at rest

    All traffic to frenzee.co and app.frenzee.co is HTTPS-only with HSTS. The Postgres database encrypts everything at rest with AES-256, including automated backups.

  3. Access

    Per-owner row-level security · least privilege

    Every table that holds owner data has Row Level Security enabled — the owner sees their rows, nobody else does. Service-role keys are used only by server-side jobs and never reach the browser; a build-time check fails the deploy if a service-role import leaks into client code.

  4. Sub-processors

    A short list, and we tell you who they are

    Supabase (Postgres and Auth) · Vercel (web hosting and serverless) · OpenRouter / Moonshot (the LLM the agent reasons with) · Resend (transactional email) · Stripe (billing). No data brokers. No analytics SDKs that re-identify you.

  5. Vendor messages

    We read only the threads you connect

    When you connect Gmail via OAuth, Frenzee reads inbound messages from the threads you tag for production. It does not enumerate your whole mailbox and does not export your contact lists. Messages outside the threads you tag are not stored on our infrastructure.

  6. Right to delete

    Email us and your account is destroyed

    Ask us to delete your account and we destroy the auth row and cascade-delete every owner-scoped row tied to it, with a confirmation email before destruction. Send the request from your account email to privacy@frenzee.co.

  7. Backups

    Daily snapshots · 7-day retention

    Supabase takes daily automated snapshots of the production database with 7-day retention. Point-in-time recovery is available within that window.

Disclosure: this page describes Frenzee’s current operational posture, not a certification. We are not yet SOC 2 or ISO 27001 certified; we will publish here when that changes.

Found a vulnerability? Email security@frenzee.co with reproduction steps and we will respond.