Security
How we protect your data and your users' experience.
Tenant Isolation
ActivationKit is a multi-tenant platform. Every database query is scoped to your tenant via PostgreSQL Row-Level Security (RLS). Tenant context is set per-transaction — queries cannot access another tenant's data even in the event of an application-level bug. API keys are unique per tenant and hashed at rest.
Encryption
In transit: All connections use TLS 1.2+. The SDK communicates with the API exclusively over HTTPS. Dashboard access requires HTTPS.
At rest: Database storage is encrypted at rest via Neon's infrastructure (AES-256). Backups are encrypted.
Authentication
Dashboard: Authentication is managed by Clerk, supporting email/password, GitHub OAuth, and Google OAuth. Multi-factor authentication (MFA) is available.
API: All API requests require a valid X-ND-Key header. Keys can be rotated from the dashboard Settings page at any time.
Rate Limiting
All API endpoints are rate-limited per tenant to prevent abuse. Chat endpoints allow 20 requests/minute, event ingestion allows 60/minute, and schema discovery allows 10/minute. Exceeding limits returns a 429 status.
SDK Security
The ActivationKit SDK runs in a closed Shadow DOM, isolating its styles and DOM from the host application. The SDK:
- Does not set cookies on end users' browsers
- Does not access localStorage or sessionStorage of the host app
- Does not modify the host app's DOM outside its own Shadow DOM container
- Cleans up all listeners and intervals on destroy
- Communicates only with your configured API URL over HTTPS
Infrastructure
| Service | Provider | Purpose |
|---|---|---|
| API | Fly.io | Application hosting, global edge |
| Database | Neon | PostgreSQL with RLS |
| Authentication | Clerk | Dashboard auth, OAuth, MFA |
| Payments | Stripe | PCI-compliant billing |
| AI | OpenAI | Guidance generation (no training on your data) |
| DNS / CDN | Cloudflare | DNS, DDoS protection |
Data Processing
Page structure data sent by the SDK is processed by OpenAI for schema enrichment and guidance generation. OpenAI does not use API data for model training (per their API data usage policy). We do not send end-user personal information to OpenAI — only page structure metadata (element names, roles, states).
Reporting Vulnerabilities
If you discover a security vulnerability, please report it to security@activationkit.com. We take all reports seriously and will respond within 48 hours.