Czemeres AIBook a call
AI Readiness CheckServicesWorkRatesInsightsSecurityBook a call
Security

Built like your data matters.

AI work means handling information you'd rather keep private. Here's exactly how I protect it, on this site, and in everything I build for you. No vague promises, just the actual practices.

Encrypted in transit & at rest

Every page and API call is served over HTTPS/TLS. Data you submit is stored in managed PostgreSQL (Supabase) with encryption at rest. No plain-text anywhere it matters.

Least-privilege, server-side secrets

API keys and database credentials live only on the server and are never shipped to the browser. The site's public code contains no secrets. That's by design, not luck.

Row-level security on the database

The leads table has row-level security enabled with no public read or write access. Only a server-side service role can write to it, so the data can't be scraped from the client.

Minimal data, deletion on request

I collect only what's needed to reply to you: typically a name, email, and your message. Want it gone? Email me and it's deleted. No selling, no sharing, ever.

Payments handled by Stripe

All payments and invoices run through Stripe, a PCI-DSS Level 1 provider. Your card details go straight to Stripe. They never touch this site or my systems.

Cookieless, privacy-friendly analytics

Analytics run on Plausible, which uses no cookies and collects no personal data. You get a fast site and I get aggregate numbers, without anyone being tracked across the web.

Hardened HTTP headers

A strict Content-Security-Policy, HSTS, anti-clickjacking, MIME-sniffing protection, and a locked-down permissions policy ship on every response. The actual headers are below.

The same standard for your build

This isn't just how my site works. It's how I build for clients. Security-by-default is baked into every tool, dashboard, and app I ship.

Live response headers · shipped on every page

Six protections every visitor gets automatically. The plain-English version is up front; the exact value each browser receives is underneath, and you can verify any of them in your browser's dev tools.

Forces encrypted HTTPS connections for two years, subdomains included.
Strict-Transport-Security
max-age=63072000; includeSubDomains; preload
Locks down what's allowed to load and run on the page, blocking injected scripts.
Content-Security-Policy
default-src 'self'; frame-ancestors 'none'; object-src 'none'; ...
Stops browsers from second-guessing file types, closing a classic attack route.
X-Content-Type-Options
nosniff
Blocks this site from being embedded elsewhere, which prevents clickjacking.
X-Frame-Options
DENY
Limits what other sites can learn about where you came from.
Referrer-Policy
strict-origin-when-cross-origin
Camera, microphone, and location: switched off at the browser level.
Permissions-Policy
camera=(), microphone=(), geolocation=()

Found something that looks off, or have a security question before we work together? Email hello@czemeres.ai, I take it seriously and I'll respond personally.