Security
How we protect your data and run a secure platform.
Last updated: May 2026
Infrastructure
ish runs on Google Cloud Platform using managed services with strong security track records.
- Backend: Google Cloud Run (europe-west1, Belgium)
- Frontend: Google Cloud Run (europe-west1, Belgium)
- Database: Supabase PostgreSQL (managed, SOC 2 Type II)
- File storage: Supabase Storage and Google Cloud Storage
- Region: primary data processing and storage in the EU
Data security
Encryption in transit
All network traffic is encrypted with TLS 1.2 or higher, enforced by our cloud infrastructure. This covers browser-to-server, server-to-database, and server-to-server communication.
Encryption at rest
Data at rest is encrypted by our cloud infrastructure. Sensitive application secrets are additionally encrypted with Fernet symmetric encryption before storage.
Secrets management
Application secrets and API keys are stored as environment variables, never in source code, and are typed to prevent accidental logging or serialization.
AI and data processing
ish uses AI to simulate how people experience digital products. AI inference runs on Google Vertex AI.
- Customer data is not sent to third-party AI providers outside Google Cloud.
- Customer data is not used to train AI models.
- AI inference is processed by Google Vertex AI under Google Cloud data protection terms.
Inference is not yet pinned to the EU, so some of that processing can run in other Google Cloud regions. Our intention is to process fully within the EU, and we are working toward it.
Authentication and access control
- User authentication: JWT-based via Supabase Auth with ES256 signing and JWKS validation
- OAuth 2.0: PKCE flow for third-party sign-in (Google, Figma)
- Authorization: role-based access control with tiered permissions
- Service-to-service: OIDC tokens for internal communication
Application security
- Input validation: strict schema validation on all API inputs
- Security linting: automated static analysis in our development workflow
- Error handling: environment-aware responses, with no stack traces or internal paths exposed in production
- Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Source protection: no source maps served in production
Compliance
- ISO 27001: certification in progress
- GDPR: EU-based data processing and storage, data minimization, and support for data-subject rights
- DPA: a Data Processing Agreement is available on request
For how we handle personal data, see our privacy policy.
Subprocessors
The following third-party services help operate the platform. Where a subprocessor operates outside the EU, appropriate safeguards are in place.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Google Cloud Platform | Hosting, AI inference, storage, task queue | EU (inference: global) | SOC 2, ISO 27001 |
| Supabase | Database, authentication, file storage | EU | SOC 2 Type II |
| Figma | Design file integration | US | SOC 2 Type II, ISO 27001 |
| Browserbase | Cloud browser sessions | US | SOC 2 Type II |
| ElevenLabs | Audio transcription | US/EU | SOC 2 Type II, ISO 27001 |
| Stripe | Billing | US/EU | PCI DSS, SOC 2 |
| Resend | Transactional email | US | SOC 2 |
Data retention
Simulation data is retained while your account is active. It is deleted on account termination and on request. For specific retention questions, contact security@ishlabs.io.
Incident response
We maintain an incident response process covering identification, containment, resolution, and post-incident review. Affected customers are notified within 72 hours of a confirmed data breach, in line with GDPR.
Responsible disclosure
If you find a security vulnerability, report it to security@ishlabs.io. We acknowledge reports within 3 business days and work with you to understand and resolve the issue.
Questions
For security inquiries, to request our DPA, or to send a security questionnaire, contact security@ishlabs.io. The data controller is This Is Ish AB, Stockholm, Sweden.