Trust

Security & data handling

We treat your brand and client data the way an agency's reputation demands. Here's exactly how it's protected.

Per-tenant isolation

Every workspace's data is isolated at the database layer with row-level security (RLS) policies scoped to your agency. Queries can only ever return your own rows — enforced by Postgres, not just application code.

Encryption in transit & at rest

All traffic is served over TLS (HTTPS). Data is encrypted at rest by our database provider. Secrets and API keys are stored as environment secrets, never in the codebase.

SOC 2-certified infrastructure

GenAI Ranker runs on Supabase (Postgres) and Vercel — both SOC 2 Type II certified. We build on audited, enterprise-grade infrastructure rather than rolling our own.

Least-privilege access

Role-based access within each workspace (owner / admin / member). System jobs use a scoped service role; API keys are read-only and revocable at any time from Settings.

AI provider data handling

Prompts are sent to our model providers (Anthropic, OpenAI, Google) through their business APIs, which do not use API data to train their models. We send the buyer-intent query and brand context needed to score visibility — nothing more.

Autonomous Agent — human-in-the-loop by default

The optional Autonomous Agent never changes your live site on its own. It's off until you enable it per brand, defaults to drafting fixes for your approval, and only auto-publishes if you explicitly turn that on. Every action is capped and logged, so you stay in control.

Network insights are anonymized aggregates

Cross-tenant features (benchmarks, demand and Citation Authority) are computed only from aggregated, k-anonymized signals keyed on topic keywords — never another customer's prompts, brand or data. A signal only appears once enough distinct brands share it, so nothing traces back to any one workspace.

Your data, your control

You own your data. Export it any time via the read-only API, and request deletion of your workspace and its data by emailing us — we action it promptly.

Privacy & GDPR

We process data per our Privacy Policy. A Data Processing Agreement (DPA) and our current sub-processor list are available to customers on request.

Responsible disclosure

Found a vulnerability? Email support@genairanker.com and we'll respond quickly. We appreciate good-faith reports and won't pursue researchers acting in good faith.

Security or compliance questions?

For a DPA, sub-processor list, or enterprise security review, reach our team — we're happy to help your procurement process. We triage internally so you don't have to guess.