Your spreadsheets contain sensitive data. Here's exactly how we handle it, and why you can trust our infrastructure.
Uploaded files are processed in memory by our Java service and immediately discarded. We never write your files to disk. The parsed JSON is stored in an encrypted session with a 30-minute TTL, then automatically deleted.
All data in transit uses TLS 1.2+. Data at rest (sessions, account info) is encrypted with AES-256in Supabase. API keys are hashed with bcrypt before storage — we cannot read them.
We do not inspect, analyze, or use your file contents for any purpose beyond providing the Service. We do not train AI models on your data. We do not sell or share your data with third parties.
We collect only what's needed: email for auth, usage counters for billing. No third-party trackers, no analytics cookies, no advertising. See our Privacy Policy for the full list.
If you upload a password-protected workbook, the password is used in-memory for decryption by Apache POI and never stored, logged, or transmitted beyond the processing service.
User authentication is managed by Supabase Auth using industry-standard OAuth 2.0 (Google) and magic links. API keys use bearer tokens over HTTPS. All auth flows enforce PKCE where applicable.
We build on best-in-class cloud platforms so we can focus on the product, not on reinventing security. Each partner maintains rigorous compliance programs independently audited.
Web hosting, API routing, edge network
Our Next.js application runs on Vercel's edge network, providing global low-latency access. Vercel maintains SOC 2 Type II compliance and undergoes regular third-party security audits.
All traffic is served over HTTPS with automatic TLS certificate management. DDoS protection is built into the edge layer.
Authentication, database, session storage
Supabase manages our authentication (OAuth, magic links), PostgreSQL database, and session storage. Built on AWS infrastructure with encryption at rest (AES-256) and in transit (TLS).
Row Level Security (RLS) ensures users can only access their own data. Database backups are encrypted and retained per our retention policy.
Java Excel processing service
Our Apache POI + LibreOffice processing runs on Railway as an isolated container. Files are received via internal service-to-service calls (authenticated with a shared secret), processed in memory, and the response returned. No file data is persisted.
The service runs in a sandboxed Docker container with no persistent storage attached. Cold starts provision a fresh environment each time.
Payment processing
All payment processing is handled by Stripe. We never see, store, or process credit card numbers. Stripe is a PCI DSS Level 1 certified service provider — the highest level of certification in the payments industry.
Subscription management, invoicing, and refunds are all handled through Stripe's secure infrastructure.
Your AI agent Vercel (API) Railway (Java) Supabase
│ │ │ │
├── upload(file) ──────────────►│ │ │
│ ├── POST /convert ─────────►│ │
│ │ (file bytes + secret) │ │
│ │ ├── Decrypt (if needed) │
│ │ ├── Convert .xls → .xlsx │
│ │ ├── Recalculate formulas │
│ │ ├── Parse with Apache POI │
│ │◄── JSON response ─────────┤ │
│ │ │ (file bytes discarded) │
│ │ │ │
│ ├── Store session JSON ────────────────────────────────►│
│ │ (encrypted, 30min TTL) │ │
│◄── sessionId ─────────────────┤ │ │
│ │ │ │
├── ls / cat / grep ───────────►│ │ │
│ ├── Read session JSON ─────────────────────────────────►│
│ │◄─────────────────────────────────────────────────────┤
│◄── results ───────────────────┤ │ │File bytes only exist in memory during the Railway processing step. After parsing, only the structured JSON representation is retained (with a 30-minute TTL).
No. Files are processed in memory and discarded. We only store the parsed JSON representation in an encrypted session that expires after 30 minutes.
Session data is encrypted at rest. We do not have tooling to browse user sessions. Access to infrastructure is restricted to the engineering team with MFA-protected accounts.
Supabase runs on AWS US regions. Railway runs on US infrastructure. Vercel serves from the nearest edge location. All inter-service communication uses TLS.
Yes. We minimize data collection, provide data export and deletion on request, and all our sub-processors maintain GDPR compliance. Our entity (Dalae SAS) is incorporated in France and subject to EU data protection law.
The password is transmitted over TLS to the processing service, used in-memory to decrypt the file via Apache POI, and immediately discarded. It is never logged, stored, or transmitted to any other system.
Questions about security? Reach out.
Contact security@dalae.fr