Security

How we protect your data and run a secure platform.

Last updated: May 2026

Infrastructure

ish runs on Google Cloud Platform using managed services with strong security track records.

  • Backend: Google Cloud Run (europe-west1, Belgium)
  • Frontend: Google Cloud Run (europe-west1, Belgium)
  • Database: Supabase PostgreSQL (managed, SOC 2 Type II)
  • File storage: Supabase Storage and Google Cloud Storage
  • Region: primary data processing and storage in the EU

Data security

Encryption in transit

All network traffic is encrypted with TLS 1.2 or higher, enforced by our cloud infrastructure. This covers browser-to-server, server-to-database, and server-to-server communication.

Encryption at rest

Data at rest is encrypted by our cloud infrastructure. Sensitive application secrets are additionally encrypted with Fernet symmetric encryption before storage.

Secrets management

Application secrets and API keys are stored as environment variables, never in source code, and are typed to prevent accidental logging or serialization.

AI and data processing

ish uses AI to simulate how people experience digital products. AI inference runs on Google Vertex AI.

  • Customer data is not sent to third-party AI providers outside Google Cloud.
  • Customer data is not used to train AI models.
  • AI inference is processed by Google Vertex AI under Google Cloud data protection terms.

Inference is not yet pinned to the EU, so some of that processing can run in other Google Cloud regions. Our intention is to process fully within the EU, and we are working toward it.

Authentication and access control

  • User authentication: JWT-based via Supabase Auth with ES256 signing and JWKS validation
  • OAuth 2.0: PKCE flow for third-party sign-in (Google, Figma)
  • Authorization: role-based access control with tiered permissions
  • Service-to-service: OIDC tokens for internal communication

Application security

  • Input validation: strict schema validation on all API inputs
  • Security linting: automated static analysis in our development workflow
  • Error handling: environment-aware responses, with no stack traces or internal paths exposed in production
  • Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Source protection: no source maps served in production

Compliance

  • ISO 27001: certification in progress
  • GDPR: EU-based data processing and storage, data minimization, and support for data-subject rights
  • DPA: a Data Processing Agreement is available on request

For how we handle personal data, see our privacy policy.

Subprocessors

The following third-party services help operate the platform. Where a subprocessor operates outside the EU, appropriate safeguards are in place.

Subprocessor list. Scroll horizontally to see all columns.
ProviderPurposeLocationCertifications
Google Cloud PlatformHosting, AI inference, storage, task queueEU (inference: global)SOC 2, ISO 27001
SupabaseDatabase, authentication, file storageEUSOC 2 Type II
FigmaDesign file integrationUSSOC 2 Type II, ISO 27001
BrowserbaseCloud browser sessionsUSSOC 2 Type II
ElevenLabsAudio transcriptionUS/EUSOC 2 Type II, ISO 27001
StripeBillingUS/EUPCI DSS, SOC 2
ResendTransactional emailUSSOC 2

Data retention

Simulation data is retained while your account is active. It is deleted on account termination and on request. For specific retention questions, contact security@ishlabs.io.

Incident response

We maintain an incident response process covering identification, containment, resolution, and post-incident review. Affected customers are notified within 72 hours of a confirmed data breach, in line with GDPR.

Responsible disclosure

If you find a security vulnerability, report it to security@ishlabs.io. We acknowledge reports within 3 business days and work with you to understand and resolve the issue.

Questions

For security inquiries, to request our DPA, or to send a security questionnaire, contact security@ishlabs.io. The data controller is This Is Ish AB, Stockholm, Sweden.