Get early access

Security Overview

Last updated: 1 May 2026

How Comfrey protects your data, credentials, and provider connections.

Comfrey is built with a security-minded approach. This page explains how we protect your data during the beta.

Credential handling

Provider API keys and OAuth tokens are encrypted at rest using AES-256-GCM. They are only decrypted in memory for the duration of a request. Encryption keys are managed via Fly.io secrets and are never stored in source control.

Data in transit

All traffic to Comfrey — website, API, and dashboard — is served over HTTPS. Backend-to-provider calls also use TLS.

Data at rest

Our Postgres database is hosted on Supabase with encryption at rest enabled. Object storage (Cloudflare R2) for blueprint snapshots also uses encryption at rest.

Access control

  • Least-privilege access to infrastructure and data stores.
  • Environment-specific secrets — no shared credentials across environments.
  • Tenant isolation enforced at the database query layer — every query is scoped to the authenticated hub.
  • JWT-based authentication via Supabase Auth, validated on every API request.

What we store

  • Account data — email and Supabase auth identifier.
  • Provider credentials — encrypted API keys and OAuth tokens.
  • Automation snapshots — scenarios, modules, blueprints, and run metadata read from your provider.
  • Analytics and errors — product usage events (PostHog), errors (Sentry), and performance metrics (Grafana Cloud).
  • Email — waitlist and transactional email addresses (Loops).

Abuse prevention

Signup and API endpoints are protected by rate limiting, honeypot checks, and request validation. We log security-relevant events for incident response.

Read-only by design

Comfrey does not push, edit, or delete anything in your Make.com or Fusion workspace. Provider connections are strictly read-only.

Incident response

If we discover a security incident affecting your data, we will notify affected users by email within 72 hours and take immediate steps to contain and remediate the issue.

Contact

For security questions or to report a vulnerability, email contact@comfrey.io.