Built for enterprise
security standards.
Every layer of Heartland AI is designed around one principle: your data belongs to you, and only you. Here is exactly how we enforce that.
Client-controlled API keys
You bring your own Anthropic or Google API key. Heartland AI stores it encrypted with AES-256-GCM.
JWT authentication
All authentication flows through Supabase Auth using short-lived JWT access tokens and secure refresh token rotation. Every backend API route verifies the JWT before processing any request. There are no long-lived API tokens or session cookies.
Rate limiting & abuse prevention
All AI-generation endpoints (chat streaming, tabular review, document generation) and upload routes are rate-limited independently. A general rate limiter also covers all routes globally. Limits are enforced per-IP with standard RateLimit headers returned.
Security headers
All API responses include Helmet-enforced security headers: strict Content-Security-Policy (default-src 'self', no frames, no objects), HSTS with preload, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict Referrer-Policy.
Have a security question?
We welcome security reviews from enterprise buyers and their counsel. Book a technical demo and we'll walk through our architecture in detail.