Security
Your client data stays yours
Copy Machine is built for agencies managing sensitive client brand data. We take security seriously at every layer.
Security at every layer
From your login to your client's approval link, every touchpoint is built with security in mind.
Encryption in Transit
All data transmitted between your browser and Copy Machine is encrypted using TLS 1.2+. Every API call, every generation, every upload.
Encryption at Rest
Your data is stored in encrypted PostgreSQL databases managed by Neon, with AES-256 encryption at rest. Database credentials are never exposed to application code.
Multi-Tenant Isolation
Every organization's data is strictly scoped. No user can access another organization's brands, drafts, or client data. This is enforced at every API layer, not just the UI.
Authentication & Sessions
Passwords are hashed with bcrypt. Sessions use signed, encrypted JWT tokens. Email verification required on signup. Password reset via time-limited tokens.
Role-Based Access Control
Four permission tiers (Admin, Manager, Copywriter, Viewer) control exactly what each team member can see and do within your organization and across brands.
Client Portal Security
Client approval links use cryptographically random tokens. Links can be time-limited and deactivated at any time. Clients never need an account or credentials.
Audit Logging
All significant actions are logged with user, timestamp, and context. Admins have full visibility into who changed what and when, across all brands in your org.
Data Deletion
Delete any brand, draft, document, or team member at any time. Organization deletion removes all associated data permanently. We don't retain deleted content.
Enterprise-grade infrastructure
Every layer of Copy Machine runs on infrastructure with established security certifications and compliance standards.
Application Hosting
Deployed on a globally distributed edge network with automatic DDoS mitigation, SSL certificate management, and zero-downtime deployments.
- SOC 2 Type II certified infrastructure
- ISO 27001 certified
- GDPR compliant
- Automatic HTTPS on all routes
Database Infrastructure
Data is stored in enterprise-grade managed PostgreSQL with automatic failover, point-in-time recovery, and AES-256 encryption at rest.
- SOC 2 Type II certified
- GDPR compliant
- Automated daily backups
- Encrypted connections only
AI Processing
AI generation requests are processed by a leading enterprise AI provider that does not use API inputs to train models. Data is not retained beyond the request.
- No training on your data
- Enterprise data privacy policy
- Responsible AI usage guidelines
- Output filtering enabled
Security questions
Common questions from agencies evaluating Copy Machine for client work.
No. The AI provider we use does not train on API inputs. Your brand guidelines, copy drafts, and client data are never used for AI training purposes by Copy Machine or by our AI provider.
Yes, strictly. Every API request is scoped to the authenticated user's organization. There is no way for one organization's users to access another organization's brands, drafts, team members, or client data. This isolation is enforced at the database query level, not just the UI.
Your data remains accessible during your active subscription period. You can export all your brands, drafts, and guidelines at any time via the CSV/TXT export feature. After account deletion, all data is permanently removed from our systems.
Passwords are hashed using bcrypt before storage. We never store plain-text or reversibly encrypted passwords. In the event of a data breach, bcrypt hashes cannot be realistically reversed to recover original passwords.
Yes. Approval links use cryptographically random UUID tokens with no sequential or predictable patterns. Each link can be set to expire at a specific date, and you can deactivate any link at any time from your dashboard. Clients cannot access any other content beyond what you've explicitly added to their approval link.
Copy Machine's application runs on Vercel's global edge network. Database storage is managed by Neon, with primary storage in US-East-1. If your agency has specific data residency requirements, contact us at hello@trycopymachine.ai.
Copy Machine is not intended to process regulated healthcare data (PHI/HIPAA). If your use case involves regulated data, please contact us before proceeding so we can discuss appropriate safeguards.
Have a security question not covered here? Email us directly