All AI provider keys stored as encrypted Edge Function secrets. Never exposed to client.

Proof Key for Code Exchange prevents authorization code interception attacks.

Edge Functions only accept requests from salessheets.ai domain. All others rejected.

Content Security Policy headers, input sanitization, and strict HTML escaping on all AI output.

PostgreSQL policies ensure users can only access their own data. Enforced at database level.

TLS 1.3 for all connections. AES-256 encryption for stored data and secrets.