Crescence

Legal

Security

Effective May 20, 2026

Infrastructure

Crescence runs on Vercel (edge and serverless functions) and Supabase (PostgreSQL, realtime, storage, auth). Both providers maintain SOC 2 Type II certification and encrypt data at rest and in transit using AES-256 and TLS 1.2+.

All database access is governed by row-level security (RLS) policies. Brand and office data is isolated at the row level - no cross-tenant data access is possible through the API. Service-role access is limited to backend Edge Functions; the client never receives a service key.

Authentication

Crescence uses Supabase Auth for identity and Supabase JWT for session management. Passwords are hashed with bcrypt. Two-factor authentication (TOTP) is available and recommended for all accounts.

Session tokens expire after 24 hours of inactivity. Refresh tokens are rotated on each use. Magic links expire in 10 minutes and are single-use.

Payments

All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. Crescence never stores raw card numbers or bank account details. Payouts to brands are processed via Stripe Connect.

Data handling

User data is stored in a US-based PostgreSQL database managed by Supabase. Backups are taken daily and retained for 30 days. Data is encrypted at rest using AES-256.

Crescence does not sell personal data to third parties. Data is shared with sub-processors only as necessary to operate the platform. See our subprocessors list for the current set.

Access controls

Internal access to production data is restricted to the founding team. All access is authenticated, logged, and audited. We follow the principle of least privilege for all service accounts.

Vulnerability disclosure

We take security reports seriously and respond to all disclosures. If you discover a vulnerability, please email security@crescence.co with a description of the issue and steps to reproduce. We will acknowledge your report within 24 hours and keep you updated on our response.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate. We do not take legal action against good-faith security researchers.

Responsible disclosure

Security reports can be sent to: security@crescence.co.

← Back to home