> ## Documentation Index
> Fetch the complete documentation index at: https://docs.summerengine.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> How Summer Engine protects your code and data

## Our Commitment to Security

At Summer Engine, we understand that your code is your most valuable asset. We've built our security infrastructure with developer privacy and data protection as core principles, not afterthoughts.

## Data Handling Philosophy

**Your Code, Your Control**: We believe developers should have full transparency and control over how their code is handled. Every decision we make prioritizes your privacy and security.

## Infrastructure Security

We depend on the following trusted partners and services, organized by how they interact with your data:

### Core Infrastructure

**Vercel** - *Sees and stores code data*\
Our primary infrastructure is hosted exclusively on Vercel's EU-based servers, ensuring GDPR compliance and providing enhanced privacy protection for all users.

**Vercel AI Gateway** - *Sees code data*\
We use Vercel AI Gateway as a proxy to improve performance and security for our AI API requests.

### AI Model Providers

**Anthropic** - *Sees code data*\
We use Claude models for AI responses. Code may be sent to Anthropic for processing. When Privacy Mode is enabled on your account, zero data retention is enforced with Anthropic.

**OpenAI** - *Sees code data*\
We use GPT models for certain AI features. Code may be sent to OpenAI for processing. When Privacy Mode is enabled on your account, zero data retention is enforced with OpenAI.

**Google Cloud Vertex API** - *Sees code data*\
We use Gemini models through Google's Vertex API. When Privacy Mode is enabled on your account, zero data retention is enforced with Google Cloud Vertex.

**Other model providers** - *Sees code data*\
We use additional model providers as part of routing on Auto and Premium. Privacy Mode applies to all model providers we route to. See [Privacy Mode](/security/privacy-mode) for details.

### Data Storage and Processing

**Turbopuffer** - *Stores obfuscated code data*\
Embeddings of indexed codebases and obfuscated metadata are stored with Turbopuffer on Google Cloud servers in the US. This enables Summer Engine's project intelligence features. You can read more on [Turbopuffer's security page](https://turbopuffer.com/docs/security).

**Supabase** - *Stores code data*\
We use Supabase for user data, project metadata, and art assets. All data is encrypted in transit and at rest.

### Essential Services (No Code Access)

**Stripe** - *No code data*\
Handles billing and payments. Only stores your payment information and billing details.

**Vercel** - *Sees and stores code data*\
Hosts our primary infrastructure including API servers. Code data passes through Vercel's infrastructure during processing.

**Amplitude** - *No code data*\
Analytics for usage patterns only. No code data is stored - only events like "AI request made" or "project opened".

**Slack & Google Workspace** - *May store code snippets for debugging*\
Our internal communication tools. We may share non-sensitive code snippets for debugging purposes, but never full codebases or sensitive information.

**Sentry** - *May store code data in error reports*\
Error monitoring and performance tracking. Code data may appear in error logs but is never explicitly sent.

## Geographic Data Handling

* **Primary servers**: European Union (exclusively via Vercel EU)
* **AI processing**: United States (AI model providers only)
* **No Chinese infrastructure**: We do not use any Chinese companies as subprocessors
* **Data residency**: All primary infrastructure and data processing occurs within EU boundaries
* **GDPR compliance**: EU-based infrastructure ensures full GDPR compliance by design

## Access Controls

### Team Access

* **Least privilege principle**: Team members only access systems necessary for their role
* **Multi-factor authentication**: Required for all infrastructure access
* **Network controls**: Restricted access using both network-level and secret-based controls
* **Regular audits**: Periodic review of access permissions and usage

### Your Control

* **Project privacy settings**: Control who can see your projects
* **Data deletion**: Request deletion of your data at any time
* **Access logs**: View when and how your data has been accessed
* **Export capabilities**: Download your project data in standard formats

## Data Protection Measures

### Encryption

* **In transit**: All data encrypted with TLS 1.3
* **At rest**: Database and file storage encrypted
* **End-to-end**: Sensitive operations use additional encryption layers

### Privacy by Design

* **Minimal data collection**: We only collect data necessary for functionality
* **Purpose limitation**: Data is only used for stated purposes
* **Data minimization**: Regular cleanup of unnecessary data
* **Anonymization**: Personal identifiers removed where possible

### Compliance

* **GDPR compliance**: Full compliance with European data protection regulations through EU-based infrastructure
* **CCPA compliance**: California Consumer Privacy Act compliance
* **EU data residency**: Primary infrastructure hosted exclusively in the European Union
* **SOC 2 Type II**: In progress

## Transparency Reports

We believe in transparency about how we handle data:

### Data Requests

* **Government requests**: We've received 0 government requests for user data
* **Law enforcement**: We've received 0 law enforcement requests
* **Third-party requests**: We don't share data with third parties without explicit consent

### Security Incidents

* **Breaches**: We've had 0 security breaches affecting user data
* **Vulnerabilities**: We maintain a responsible disclosure program
* **Incident response**: 24/7 monitoring with automated incident response

## Your Rights

### Data Access

* **View your data**: Access all data we store about you
* **Data portability**: Export your data in machine-readable formats
* **Usage logs**: See how your data has been accessed and used

### Data Control

* **Correction**: Update or correct your personal information
* **Deletion**: Request complete deletion of your account and data
* **Restriction**: Limit how we process your data
* **Objection**: Object to certain types of data processing

### Privacy Settings

* **Project visibility**: Control who can see your projects and code
* **Analytics opt-out**: Disable usage analytics collection
* **Marketing preferences**: Control communication preferences
* **Data sharing**: Opt out of any data sharing (where legally permitted)

## Security Best Practices for Users

### Account Security

* **Strong passwords**: Use unique, complex passwords
* **Two-factor authentication**: Enable 2FA on your Summer Engine account
* **Regular reviews**: Periodically review account access and permissions
* **Secure devices**: Keep your development machines secure and updated

### Project Security

* **Sensitive data**: Avoid committing secrets, API keys, or passwords
* **Access controls**: Use project privacy settings appropriately
* **Regular backups**: Maintain your own backups of critical projects
* **Team management**: Regularly review team member access

## Incident Response

### If You Suspect a Security Issue

1. **Report immediately**: Email [founders@summerengine.com](mailto:founders@summerengine.com)
2. **Provide details**: Include as much information as possible
3. **Don't disclose publicly**: Allow us to investigate and fix first
4. **Follow up**: We'll keep you updated on our investigation

### Our Response Process

1. **Immediate assessment**: Security team reviews within 1 hour
2. **Containment**: Isolate and contain any potential issues
3. **Investigation**: Full forensic investigation of the incident
4. **Remediation**: Fix vulnerabilities and strengthen defenses
5. **Communication**: Transparent communication about what happened

## Contact Us

### All Inquiries

* **Email**: [founders@summerengine.com](mailto:founders@summerengine.com)
* **Response time**: Within 24 hours for all inquiries
* **Security issues**: Mark subject as "SECURITY" for urgent security matters
* **Privacy requests**: Mark subject as "PRIVACY" for GDPR/CCPA requests
* **General questions**: We personally handle all support and privacy questions

<Warning>
  **Security is a shared responsibility.** While we implement strong security measures, the security of your projects also depends on your own security practices. Keep your accounts secure, use strong passwords, and be mindful of what you commit to your repositories.
</Warning>

## Regular Updates

This security overview is updated regularly to reflect our current practices and any changes to our infrastructure. Last updated: September 2025.

For the most current information, always refer to this documentation or contact our security team directly.
