Security
Continium processes your CRM data to generate Account Intelligence -- QBRs, risk assessments, personalized outreach, and more. We built every layer of the stack to ensure that access is minimal, credentials are encrypted, and every query is tenant-scoped.
Written for security teams
This page is a technical overview of the controls we implement, written for CTOs, CISOs, and security reviewers.
7
Architecture pillars
0
CRM write scopes
3
SOC 2 providers
Seven pillars, from authentication through data minimization to infrastructure.
We never see your CRM password.
Continium authenticates through OAuth 2.0, delegating identity verification entirely to HubSpot or Salesforce. Tokens are exchanged server-to-server, never exposed to the browser, and validated with constant-time comparison to eliminate timing-based attacks. For Salesforce, we enforce PKCE with SHA-256 code challenges.
Tokens are encrypted inside the database engine itself.
CRM access and refresh tokens are stored in Supabase Vault using authenticated encryption (AEAD). Decrypted values exist only in memory during the API call that retrieves them -- they are never written to disk in plaintext. Application code never touches raw cryptographic keys.
Every query is scoped by policy, not just application logic.
All user-facing tables are protected by Postgres Row Level Security. One tenant cannot read or modify another tenant's data regardless of application-layer behavior. The public API key has zero privileges on sensitive tables -- even a compromised key cannot enumerate any user data.
No tokens in localStorage. No JWTs in the browser.
Sessions are backed by 256-bit random tokens stored server-side and delivered via httpOnly, Secure, SameSite cookies -- inaccessible to JavaScript and resistant to XSS and CSRF. Sessions auto-expire and renew via a sliding window. Concurrent sessions per user are capped with oldest-first eviction.
Rate limiting, content security policy, and input validation on every request.
Every API route runs behind tiered sliding-window rate limiters. Middleware enforces strict same-origin CORS and a Content-Security-Policy that prevents framing and restricts script execution. All CRM record identifiers are validated against provider-specific patterns before touching any query.
Raw customer data is never persisted beyond the request lifecycle.
When generating intelligence, raw CRM data is used in the prompt context for that request only. The stored output contains generated insights and aggregate metadata -- never raw contact details, email addresses, or phone numbers. This limits the blast radius of any breach to summaries and counts, not customer contact lists.
Every component in the stack maintains independent SOC 2 Type II certification.
The application runs on Vercel's Edge Network with automatic TLS 1.3 and HSTS. Data is persisted in Supabase (Postgres on AWS) with encryption at rest. Caching is handled by Upstash Redis, encrypted in transit and at rest. Deployments are immutable and atomic.
We request only the OAuth scopes required to read the data that powers Account Intelligence. We never request write, delete, or administrative access to your CRM.
You can revoke Continium's access at any time from your CRM's connected apps settings. Revocation is immediate -- cached data is purged and tokens are deleted.
| Provider | Scopes Requested | Note |
|---|---|---|
| HubSpot | crm.objects.companies.read, crm.objects.contacts.read, crm.objects.deals.read, tickets, crm.objects.owners.read | Read-only. No write, delete, or admin scopes. |
| Salesforce | api, refresh_token, id | Minimal API access. No full, chatter, or admin scopes. |
How your CRM data moves through Continium -- and where it stops.
Continium makes read-only API calls to your CRM on demand. Data is fetched when you open the dashboard or request intelligence for an account. We do not run background syncs or maintain full CRM mirrors.
API responses are cached with short TTLs (5-30 minutes depending on data type) to reduce load on your CRM. Caches are scoped per portal and encrypted in transit and at rest. Cache misses fall through to live CRM calls.
Raw CRM data is used in the AI prompt context for a single request. Only the generated intelligence and aggregate metadata are persisted. Contact names, emails, phone numbers, and deal details are never stored in the output.
When you disconnect your CRM or delete your account, tokens are revoked immediately and cached data is purged. Generated intelligence is retained for 30 days to allow re-download, then permanently deleted.
Runtime protections that apply to every request, every deployment, every environment.
Every component in the stack is hosted on infrastructure that maintains independent SOC 2 Type II certification.
Compute & CDN
Vercel
Edge Network with automatic TLS 1.3, HSTS, Content-Security-Policy, and DDoS protection. Immutable, atomic deployments.
Database & Auth
Supabase
Postgres on AWS with encryption at rest. Vault for credential encryption. Row Level Security on all tables.
Cache & Rate Limiting
Upstash
Serverless Redis with TLS encryption in transit and at rest. Per-endpoint sliding-window rate limiting.
If you discover a security vulnerability, please report it to our security team. We commit to acknowledging receipt within 24 hours, providing an initial assessment within 72 hours, and keeping you informed through resolution.
We ask that you give us reasonable time to address the issue before public disclosure. We do not pursue legal action against researchers acting in good faith.