Now in beta, Visual website feedback for agencies and dev teamsSee what's included
    Security

    Built to keep client feedback safe.

    Your clients trust you with their site. You trust ClickCues with their feedback. We hold up our end with scoped access, careful storage handling, and operational controls designed to stay quiet in the background.

    Read our practicesDiscuss data processing
    How we protect you

    Security that runs quietly in the background.

    Encrypted handling

    Feedback data, screenshots, and attachments are passed through provider-managed transport and storage protections.

    Strict access control

    Project access is enforced through authentication, membership checks, and database policies instead of broad shared visibility.

    Private storage paths

    Sensitive files are kept behind scoped storage paths and application access checks rather than broad public listings.

    Privacy by default

    ClickCues is built to capture feedback context, not extra marketing tracking around your reviewers.

    Operational safeguards

    Security-sensitive flows use protected edge functions, scoped storage checks, and audit-oriented event logging.

    Customer control

    Data export and deletion requests, security and privacy questions, and vendor questionnaires all route through one customer-facing security contact.

    Compliance

    Clear answers for security reviews and procurement.

    This section summarizes the support available today for security reviews, procurement, and customer due diligence.

    Internal reviewSecurity controls are reviewed as the product and infrastructure evolve.
    GDPR supportExport and deletion requests are supported operationally. Contact us to discuss data-processing requirements for your organization.
    Procurement readySecurity questionnaire and procurement follow-up can be handled in writing through one contact inbox.
    Reduced payment scopeStripe handles payment collection and billing portal actions directly.
    Core practices

    The day-to-day safeguards behind the product experience.

    Least-privilege access

    Privileged workflows use scoped role checks, owner-only actions, and verified backend authorization before sensitive changes are applied.

    Project-scoped screenshots

    Screenshots and uploads are organized around project ownership instead of one shared file surface.

    Database policy enforcement

    Project membership and owner-only actions are enforced through database policies and scoped authorization checks.

    Secure development flow

    Security-sensitive workflows include token validation, sanitized rendering, guarded file access paths, and verified webhook handling.

    Written security support

    Security and privacy questions, data-processing discussions, and vendor questionnaires all route through one customer-facing security contact.

    Transparent posture

    We describe current controls directly and avoid overstating certifications or review work that is not currently in place.

    Authentication and access

    Verified access controls from the application and database layers.

    Authentication flows

    ClickCues supports modern account access and recovery flows designed to keep authentication straightforward and verifiable.

    • ClickCues supports email and password authentication with email-based account confirmation.
    • Google sign-in is available for teams that prefer OAuth-based access.
    • Password recovery is handled through email reset links rather than in-app plaintext recovery.
    • Session validation helps ensure older or mismatched sessions are signed out when they no longer match the current account state.

    Account and project security events

    Security events help owners review sensitive account activity, project changes, and audit history.

    • TOTP-based two-factor authentication is available in account settings.
    • Fresh MFA verification is required before disabling MFA and before sensitive actions like account deletion, project deletion, widget-token rotation, and ownership transfer when MFA is enabled.
    • ClickCues records account and project security events for sensitive changes, and project owners can export filtered audit history as CSV where supported.
    Isolation and storage

    How ClickCues separates projects, files, and guest submission scope.

    Tenant and project isolation

    Project data is separated through scoped access controls designed to keep workspaces isolated from each other.

    • Project membership and owner access are enforced through scoped authorization checks.
    • Database policies and authorization checks protect owner-only audit logs, widget-token changes, and project-scoped records.
    • Widget tokens are stored per project and validated before public feedback routes accept submissions.
    • Guest and widget-origin uploads use scoped path prefixes like `guest/{projectId}/` and `widget/{projectId}/` instead of unrestricted writes.

    Screenshots, attachments, and storage

    Files are organized by project and shown through application access controls tied to the current workflow.

    • Task screenshots and uploads are tied to project records and validated through application access checks before they are shown in the product.
    • Project logos and avatars use controlled file-type and size restrictions.
    • Screenshot and attachment handling includes file-type restrictions and scoped project associations.
    • Attachment delivery is routed through the application workflow rather than broad public file listings.
    Privacy practices

    What ClickCues does with your data, and what it avoids.

    What we do

    • Support data export, deletion, and security-document requests through a single monitored inbox.
    • Store guest submission context such as page URL, viewport, browser, and reporter metadata when it is provided with feedback.
    • Keep retention exceptions for billing, abuse prevention, security review, and legal obligations in the documented deletion flow.

    What we do not do

    • ClickCues does not present customer data as something it sells to advertisers or third parties.
    • Customer screenshots, comments, and feedback are not used to train AI models.
    • Public review and support workflows do not depend on client logins or marketing follow-up to reviewers.
    Application and billing security

    Practical controls used across ClickCues.

    Application security

    • Rendered rich-text comment content is sanitized with DOMPurify before `dangerouslySetInnerHTML` is used.
    • Public share routes use rate limiting and token validation before task data is returned.
    • Privileged backend actions verify authentication or service context before sensitive work runs.
    • Uploaded attachment filenames are sanitized on submission before being stored.

    Payment security

    • Stripe Checkout sessions and the Stripe billing portal are used for payment and subscription management.
    • Stripe webhook events are validated with webhook signature verification before account updates are applied.
    • ClickCues does not need to handle raw card entry inside the application because payment collection is delegated to Stripe-hosted flows.
    Infrastructure

    Security stack and current subprocessors.

    ComponentTechnologyHow ClickCues uses it
    AuthenticationSupabase AuthEmail/password, Google OAuth, password reset, and MFA enrollment flows.
    Database authorizationPostgreSQL RLS + scoped authorizationProject membership and owner-only access policies for data and audit records.
    StorageSupabase StorageScoped screenshot, attachment, logo, and avatar storage tied to application access controls.
    PaymentsStripeHosted checkout, billing portal access, and webhook-driven subscription state updates.
    SanitizationDOMPurifySanitized rendering for rich comment content in the application UI.
    Transactional emailResendTransactional email delivery for account, workspace, and product notifications.
    Backend actionsSupabase Edge FunctionsProtected task, comment, storage, checkout, and notification workflows.

    Current subprocessors

    This is an informational list for buyers and reviewers, not a replacement for a DPA or vendor packet.

    Supabase

    Purpose: Authentication, database, storage, and backend function runtime

    Data category: Account data, project records, feedback metadata, screenshots, and attachments

    Stripe

    Purpose: Subscription billing and customer billing portal

    Data category: Billing identity and subscription metadata handled through Stripe-hosted payment flows

    Resend

    Purpose: Transactional email delivery

    Data category: Recipient email addresses and transactional message payloads

    Security and compliance posture

    Direct answers about certifications, data handling, and current scope.

    SOC 2

    Not currently certified

    ClickCues is not currently SOC 2 certified. We use established infrastructure providers, but their certifications do not make ClickCues independently certified.

    ISO 27001

    Not currently certified

    ClickCues is not currently ISO 27001 certified.

    GDPR operational support

    Supported

    Export and deletion requests can be handled operationally. Contact us to discuss data-processing requirements for your organization.

    Payment scope

    Card handling delegated to Stripe

    Stripe-hosted checkout and billing flows reduce direct payment-card handling inside ClickCues.

    HIPAA / PHI

    Not supported

    ClickCues is not designed for protected health information and does not currently offer BAA support.

    Penetration testing

    Independent test not completed

    ClickCues performs internal security testing. We do not currently claim a completed independent third-party penetration test.

    Security FAQ

    Answers for common customer, legal, and procurement questions.

    No. ClickCues is not currently SOC 2 certified. We use established infrastructure providers, but their certifications do not make ClickCues independently certified.

    Responsible disclosure

    Found something? Tell us.

    We welcome good-faith reports from customers and researchers. If you spot a potential vulnerability, contact us before disclosing it publicly and we’ll follow up directly as quickly as possible.

    Report a vulnerabilityevander@clickcues.com

    What to report

    • Authentication, authorization, or session-management issues
    • Cross-project access, data exposure, or storage-policy bypasses
    • Injection, XSS, or token-validation flaws
    • Security bugs in public feedback, widget, or backend function flows

    What to include

    • A short description of the issue and why it matters
    • Steps to reproduce, including URLs or affected flows when possible
    • Any screenshots or sample payloads that help reproduce the problem safely
    • Your preferred contact details for follow-up questions
    Security contact

    Need a written answer for security or procurement?

    Use the links below for security reviews, data-processing questions, vendor questionnaires, or good-faith vulnerability reports. All customer-facing security requests route to the same inbox.

    General security questionDiscuss data processingVendor questionnaireVulnerability reportevander@clickcues.com