Security

Security and trust

Veesie shows how AI assistants like ChatGPT, Gemini and Perplexity talk about your brand. To do that you trust Veesie with your brand data, and sometimes your Google Analytics. This page explains exactly how Veesie protects that data: encrypted, in the EU, and accessible only to you.

Always encrypted

Sensitive fields, like your Google tokens, are encrypted with AES-256-GCM. All connections run over HTTPS with HSTS.

EU hosting

Your account, brands and results live in a PostgreSQL database in Frankfurt. No core data outside the EU.

Read-only AI access

The Google Analytics connection is read-only. Veesie can never change or delete your statistics.

Strict isolation

Each customer sees only their own data, enforced twice: at database level (RLS) and in the application.

1. Your data and AI monitoring

To measure how AI sees your brand, Veesie sends your prompts (questions about your brand, your sector and your competitors) to AI providers like OpenAI, Anthropic, Google and Perplexity. We store their answers in our EU database.

The prompts are about brands and topics, not people. They normally contain no personal data.
The answers, scores and analyses that result are stored in the EU.
Veesie never uses your data to train models or for advertising.

Tip: don't put personal data in your prompts yourself. It isn't needed for brand monitoring, and it keeps the processed data minimal.

2. Encryption

In transit

All traffic to veesie.com runs over HTTPS. We send a Strict-Transport-Security header (HSTS) with a two-year duration and are on the HSTS preload list, so browsers never connect unencrypted.

At rest

Sensitive fields in our database, like your Google Analytics access and refresh tokens and any webhook URLs, are encrypted with AES-256-GCM (authenticated encryption). If the encrypted data is tampered with, decryption fails automatically. The key is stored separately from the database as a Cloudflare Worker secret.

3. The Google Analytics connection

Many customers connect their Google Analytics 4 to Veesie to see traffic data alongside their AI visibility. That connection is deliberately minimal:

Read-only: we only request the analytics.readonly scope. Veesie can read your Analytics, never change, delete or share it.
CSRF-protected: the OAuth flow uses an HMAC-signed state bound to your session that expires after ten minutes. No one can force the connection on your behalf.
Encrypted: the tokens Google returns are stored encrypted (see Encryption).
Disconnectable: you revoke access at any time, both in Veesie and directly in your Google account.

4. Access and authentication

Sign-in runs via Supabase Auth. Passwords are stored hashed, never in readable form.
Sign-up and contact pages are protected against bots with Cloudflare Turnstile.
During early access, registration is by invitation (invite code).
Internal admin environments run behind Cloudflare Zero Trust Access and are not publicly reachable. The direct workers.dev URL is disabled, so that protection can't be bypassed.

5. Infrastructure and isolation

Hosting: the application runs on Cloudflare Workers, on Cloudflare's global edge network.
Database: a PostgreSQL database at Supabase in Frankfurt (EU).
Multi-tenant isolation: each organization sees only its own data. This is enforced twice: with Row Level Security at database level, and with ownership checks in every server action of the application.
Cloudflare and Supabase are both certified against international standards (including SOC 2 and ISO 27001) for their infrastructure.

6. Application security

Veesie is continuously reviewed for security internally. The codebase went through several security audits against the OWASP guidelines for APIs and for LLM applications. Concrete measures include:

HTTP security headers: a strict Content-Security-Policy, HSTS, X-Frame-Options (DENY), X-Content-Type-Options and a restrictive Permissions-Policy.
SSRF protection: outgoing webhooks may only go to public HTTPS addresses; internal IP ranges are blocked.
Prompt-injection hardening: stored AI answers and user input are neutralized before they go back into an AI prompt.
Protection against CSV formula injection in exports, timing-safe comparison of secrets, and parameterized database queries against SQL injection.

No service can guarantee absolute security, but we work continuously to reduce risks and improve our measures.

7. Payments

Payments run via Stripe Checkout. Your card details go directly to Stripe, a PCI-DSS-certified payment provider. Veesie never sees or stores your card details; we only keep a reference to your Stripe customer.

8. Subprocessors

To deliver the service we work with a limited number of carefully chosen subprocessors:

Subprocessor	Function	Location
Supabase (Postgres + Auth)	Database, authentication	EU (Frankfurt)
Cloudflare (Workers)	Application hosting, edge processing	Global edge, processing in the nearest EU region
Resend	Transactional email (notifications, reports)	EU region
Stripe	Payment processing (only on a paid plan)	Ireland (EU)
Sentry	Error monitoring (error tracking)	EU (Frankfurt, Germany)
OpenAI, Anthropic, Google, Perplexity	LLM calls (prompts are sent to the providers)	US / EU (depending on the provider), based on SCCs

The core data (account, brands, results) is stored exclusively in the EU. Transfers to providers outside the EU happen on the basis of the Standard Contractual Clauses (SCCs). The full list and explanation are in the privacy policy.

9. GDPR and your rights

The data controller for Veesie is Manon BV (trading as ClickForest), based in Bonheiden, Belgium, company number BE 0549.803.522.

You can export all your data in JSON format via Settings, Privacy.
You can delete your account and all associated data yourself via Settings, Delete account. The deletion is immediate and cascades through all linked data.
All your GDPR rights (access, rectification, erasure, restriction, portability, objection) are described in detail in our privacy policy.

10. Reporting a vulnerability

Think you found a security issue? Let us know at hello@veesie.com. We investigate every report and keep you informed. We ask you not to disclose vulnerabilities publicly before we've been able to resolve them together (responsible disclosure).

Last updated: 13 June 2026. Back to veesie.com