Security & Architecture Overview

Company: StoryCycle Labs · 1621 Central Ave, Cheyenne, WY 82001, United States Last updated: June 2026 Contact: sean@storycycle.ai · legal@storycycle.ai

This document summarizes the architecture, data handling, and security controls of StoryCycle Genie ("the Service"), an AI-assisted brand-storytelling platform. It is intended to support a prospective customer's security and governance review. We are happy to complete a vendor security questionnaire or hold a technical review call to go deeper on any item below.

1. Service summary

StoryCycle Genie is a multi-tenant SaaS application that helps teams plan, generate, and manage brand-storytelling content using large language models (LLMs). Users authenticate, work within an isolated account/organization, and generate content through guided AI workflows.

2. Architecture & hosting

• Application: Next.js / React (TypeScript), hosted on Vercel with managed hosting and automatic TLS.
• Database & auth: PostgreSQL and Supabase Auth on Supabase — managed Postgres, encrypted at rest by the platform.
• File/object storage: Supabase Storage with access-controlled buckets.
• Billing: Stripe — card data handled entirely by Stripe (PCI-DSS Level 1); we never store card numbers.
• Error monitoring: Sentry, with PII reporting disabled.
• LLM gateway: OpenRouter, routing inference to upstream model providers (see section 5).

Encryption in transit: all client and server traffic is served over TLS by Vercel and Supabase.

Encryption at rest: database and object storage are encrypted at rest by the underlying managed platforms (Supabase / AWS).

3. Authentication & identity

• Identity and session management are provided by Supabase Auth.
• Supported sign-in methods: email/password, magic link, and OAuth (Google).
• Multi-factor authentication (MFA) is supported, with AAL2 (second-factor) enforcement available. Privileged/administrative access is gated behind MFA compliance checks at the database level.
• Passwords are never stored by the application in plaintext; credential storage is handled by the managed auth provider.

4. Data access control & tenant isolation

• Row-Level Security (RLS) is enabled across tenant-scoped tables — including accounts, memberships, roles/permissions, billing, API keys, and usage records. Tenants can only read and write data belonging to their own account.
• The anonymous database role is granted no privileges; access requires an authenticated session, and grants are scoped to the authenticated principal.
• Role-based access control governs what members can do within an account (owner / member / role-based permissions).
• Application-managed secrets (e.g., stored API keys and sensitive credentials) are encrypted at the application layer with AES-256 before being persisted.

5. AI / LLM data flow

StoryCycle Genie generates content by sending user prompts and relevant context to LLMs. Inference requests are routed through OpenRouter, which forwards them to the selected upstream model provider — which may include Anthropic, OpenAI, Google, Mistral, and others, depending on the configured model.

What this means for a reviewer:

• User-entered prompts and supplied context are transmitted to these third-party model providers for the sole purpose of generating the requested output.
• We do not use customer content to train our own models.
• Data-processing terms for inference are governed by OpenRouter and the upstream providers' terms; we can provide the current provider list on request and align model routing to a customer's approved-vendor constraints where feasible.

We surface this flow explicitly because a governance review should account for where content is processed, not just where it is stored.

6. Sub-processors

Core sub-processors today: Vercel (hosting), Supabase (database, auth, storage), Stripe (billing), Sentry (error monitoring), and OpenRouter plus the upstream LLM providers it routes to (Anthropic, OpenAI, Google, Mistral, and others). See the Sub-processor List in this section for the formal, versioned document.

7. Monitoring & operations

• Application errors are captured via Sentry, configured to exclude PII by default.
• Billing and subscription events are processed through Stripe with signed webhooks.

8. Policies & legal documents

• Privacy Policy: published (see this section).
• Data Processing Agreement (DPA): published (see this section); executed per customer.
• Versioned sub-processor list: published (see this section).
• Data retention & deletion: content is retained until a customer deletion request; verified deletion requests are honored within 30 days.
• Terms of Service are in production and cover service use, IP ownership, account security, and limitation of liability.

Additional compliance documentation — including our current control roadmap — is available to customers and prospective customers on request under a direct exchange.

9. How to engage

We're glad to:

• Complete your standard vendor security questionnaire (SIG, CAIQ, or your own).
• Walk through this architecture on a technical review call.
• Provide our DPA and current sub-processor list.
• Scope model-routing constraints to your approved-vendor requirements.

Contact: Sean Schroeder — sean@storycycle.ai