Security and Trust
How MencionAI protects workspace data, handles AI provider flows, and operates the GEO visibility platform with traceability and clear controls.
Last updated: June 5, 2026
Access and authentication
Accounts authenticate through Supabase Auth with session-based access. Workspace membership and roles limit who can view brands, scans, reports, and billing. Affiliate-only accounts are restricted to the partner dashboard and account settings — product APIs require a full workspace role.
Traceability and audit logs
Visibility scans store provider, model, prompt text, response payload, timestamps, and derived metrics so teams can audit results, compare runs over time, and reprocess when needed. Activity relevant to billing and account changes is retained for support and dispute resolution.
Infrastructure and subprocessors
MencionAI runs on Vercel (hosting and edge), Supabase (authentication, Postgres database, and storage), and Stripe (payments). Transactional email, analytics, and AI providers operate under their own terms. We select vendors with appropriate privacy and security practices and document data flows in our Privacy Policy.
AI provider data flows
Configured prompts and brand context (domain, competitor names, campaign instructions) may be sent to AI providers such as OpenAI, Anthropic, Google, Perplexity, DeepSeek, and xAI to run visibility scans. We never send passwords, payment card data, or unrelated personal identifiers. MencionAI does not use your data to train proprietary models and prefers providers that offer training opt-out where available.
Encryption and tenant isolation
Data in transit is protected with TLS. Database access uses Supabase authentication and Row Level Security (RLS) policies so teams only read and write their own workspace records. API keys and secrets are stored server-side and are not exposed to browsers.
Compliance posture
We align operations with LGPD and GDPR principles described in our Privacy Policy, including lawful bases, data subject rights, and international transfer safeguards. MencionAI is not SOC 2 certified today; we follow a practical security roadmap (access controls, logging, vendor review, and incident procedures) and will publish certification progress when applicable.
Incident response and vulnerability disclosure
We investigate reported issues, contain impact, notify affected customers when legally required, and remediate root causes. If you believe you found a vulnerability, report it responsibly with reproduction steps, affected URLs or endpoints, and impact assessment — avoid public disclosure until we acknowledge receipt.
Security contact
Email suporte@mencionai.com with subject line "Security report" and include technical detail (steps to reproduce, timestamps, account email if relevant). For privacy requests, see the Privacy Policy. For general product questions, use the contact page.