Learn Domains
FeaturesDemoPricing
Security

Built for operators who don't take chances.

Security is an operator requirement, not a checkbox.You're connecting real assets: your search data, analytics, revenue, and brand knowledge. Here is exactly how we protect them.

Security philosophy

You are connecting your search data, analytics, revenue, and brand knowledge to Learn Domains. We treat that access the way an elite operations team would: least privilege by default, encryption everywhere, verifiable boundaries between tenants, and read-only scopes wherever a write isn't strictly required.

How your data is protected

Data protection & encryption

Your data is encrypted in transit and at rest, and connected-account credentials get an extra envelope of encryption.

  • All traffic is served over TLS (HTTPS) end to end.
  • Data at rest is encrypted by our managed Postgres provider (Supabase).
  • Third-party credentials (Google, Stripe) are AES-256-GCM envelope-encrypted before storage, connecting is blocked until encryption is configured.
  • Secrets and API keys live only on the server. They are never shipped to the browser.

Authentication

Identity is handled by Clerk, a dedicated authentication platform, not a homegrown password table.

  • Clerk manages sign-in, sessions, and multi-factor authentication.
  • Sessions use short-lived, signed tokens; we never store raw passwords.
  • Clerk's native Supabase third-party auth passes verified identity claims through to the database layer.

Permissions & role-based access

Every action is scoped to an organization and authorized by role, deny-by-default, enforced in two layers.

  • Organization roles (owner, admin, member, client) gate what each member can do.
  • Admin tooling is role-based via platform roles, never email-only.
  • Authorization is enforced in the service layer and again at the database with Row Level Security.
  • Client seats are read-only by design.

Database security (Supabase RLS)

Tenant data is isolated at the database with Row Level Security, deny-by-default on every tenant table.

  • RLS policies reject any query that isn't explicitly scoped to the caller's organization.
  • Even if application code had a bug, the database refuses cross-tenant reads.
  • Credit balances can never go negative, mutations only flow through atomic Postgres functions.

Billing security (Stripe)

Payments run on Stripe: We never see or store full card numbers, and every webhook is verified.

  • Card data is handled entirely by Stripe: it never touches our servers.
  • Stripe webhooks are signature-verified and idempotent, so events can't be spoofed or double-counted.
  • Credits are granted only after a real payment confirms.

Google connection security

Google Search Console and Analytics connect with read-only scopes and a CSRF-protected OAuth flow.

  • We request read-only scopes only (webmasters.readonly, analytics.readonly).
  • The OAuth state is signed and encrypted to bind each connection to your org and prevent CSRF.
  • Refresh tokens are encrypted at rest, and you can disconnect a property at any time.

AI provider security

AI runs through a single routed layer with cost logging, and never exposes your data to the public web.

  • All AI calls go through the AI Model Router; the AI layer never calls external providers directly with raw secrets.
  • Expensive AI work is credit-gated and never runs for anonymous visitors.
  • Your knowledge base and connected data are used to ground your own outputs, not to train public models.

Data handling

  • We collect only what's needed to do the work: your website, connected search/analytics/revenue data, and the brand knowledge you choose to add.
  • You can disconnect any integration or delete your data at any time.
  • Access to production data is limited to a small number of authorized operators and is logged.
  • We design for graceful failure, a degraded integration is surfaced clearly rather than silently retried.

Security improvements ahead

What we're investing in next as we scale.

SOC 2 Type II readiness programConfigurable data-retention windowsAudit-log export for organizationsSingle sign-on (SSO) for teams

Start with confidence.

Connect your asset, see your first Mission Brief, and decide for yourself, all on a 7-day trial.

View system status
Learn Domains

Digital Asset Intelligence Command Center.

Product

  • Features
  • Demo
  • Pricing
  • Compare
  • Glossary

Resources

  • Docs
  • Glossary
  • Status
  • Security
  • Support

Company

  • Blog
  • Affiliate
  • Contact

Legal

  • Terms
  • Privacy
  • Refunds
  • Billing

Learn Domains provides intelligence and recommendations. We do not control search engines and do not guarantee any specific rankings, traffic, or revenue. Results depend on your work and many factors outside our control.

© 2026 Learn Domains®. All Rights Reserved.