Skip to main content
kreel Home
Sign in Get a key

Kreel Legal

Security

Last updated: 2026-04-18

Security is not a dashboard line item — it is the precondition for everything Kreel does. The practices below describe our current controls. They will evolve; any material change that affects your data will be communicated in advance.

Authentication and access

  • User authentication is handled by Supabase Auth with support for email + password, and SSO on request.
  • Connected third-party platforms (Shopify, Klaviyo, Meta, Google) are accessed exclusively via OAuth 2.0. Kreel never asks for, stores, or sees your platform passwords.
  • OAuth tokens are encrypted at rest using AES-256 with keys stored in our secret manager, rotated on a defined schedule.
  • Kreel-issued API keys are hashed in the database; the raw key value is shown once, at creation time, and cannot be recovered afterwards.

Data in transit and at rest

  • All traffic to Kreel is encrypted with TLS 1.2 or higher. HTTP requests are redirected to HTTPS.
  • Databases use encryption at rest (managed by Supabase and Hetzner respectively).

Infrastructure

  • Primary compute runs in the EU (Hetzner, Germany).
  • Databases are hosted on Supabase in the EU region (Frankfurt).
  • The marketing site is statically hosted on Vercel's CDN.

Tenant isolation

  • All customer-facing API queries include an explicit client_id filter.
  • API keys are scoped to a single workspace and cannot access data outside their workspace.
  • Background jobs use the same scoping rules as the API.

Access control and logging

  • Production access is limited to a small number of personnel. Access is reviewed quarterly.
  • Actions on production systems are logged and retained for at least 90 days.
  • Secrets are managed in a dedicated secret manager, not in source control or CI environment variables.

Third-party partners

Kreel holds Shopify Partner and Klaviyo Partner status. Meta Business Partner and Google Partner applications are in progress. Each program requires ongoing compliance with the platform's security and data-handling standards.

Vulnerability disclosure

If you believe you have identified a security issue in Kreel, please email security@kreel.ai. We acknowledge within 2 business days and work with you to investigate and remediate. We do not take legal action against good-faith researchers.

Incident response

If a security incident affects Customer data, Kreel notifies affected Customers without undue delay, and within 72 hours where feasible, with a description of the incident, affected data categories, and remediation steps.