/TRUST CENTER

Security Architecture

Built for IT directors who need to verify before they trust. Every layer documented. Every claim verifiable.

/ENCRYPTION

256-Bit TLS Encryption

All data is encrypted in transit using TLS 1.3 with 256-bit AES-GCM encryption. Data at rest is encrypted via Supabase's AES-256 storage encryption, backed by cloud provider KMS. No unencrypted data ever leaves our infrastructure.

  • TLS 1.3 enforced on all endpoints
  • AES-256-GCM at rest via cloud KMS
  • HSTS headers with 1-year max-age
  • Certificate transparency logging enabled

/ISOLATION

Row-Level Tenant Isolation

Every database table with tenant data includes an org_id column enforced by PostgreSQL Row-Level Security (RLS) policies. The org_id is always derived from the JWT claim — never from the request body. This means a compromised request cannot access another organization's data.

  • RLS policies on every tenant table — no exceptions
  • org_id extracted from JWT app_metadata, never request body
  • Service role key restricted to server-side only
  • Anonymous role has zero access to tenant tables

/PII STRIPPING

Automatic PII Removal

Before any uploaded file content is sent to AI analysis, our PII stripper automatically removes personally identifiable information: email addresses, Windows usernames, full IPv4 addresses, FQDNs, Windows SIDs, and Active Directory paths. Your sensitive data never reaches the AI model.

  • Emails, usernames, IPs, FQDNs redacted
  • Windows SIDs and AD paths stripped
  • Runs before every Claude API call
  • Configurable per workflow type

/AUDIT

Append-Only Audit Logs

Every upload, analysis, report view, and administrative action is recorded in an append-only audit log. No UPDATE or DELETE operations are permitted on audit records. This creates a tamper-evident trail for compliance investigations and forensic review.

  • Append-only — no UPDATE or DELETE permitted
  • Covers uploads, analysis, reports, admin actions
  • Timestamp + actor + action + metadata on every entry
  • Accessible to org admins via Settings > Audit Log

/AUTH

Authentication & Access Control

Authentication is handled by Supabase Auth with httpOnly cookies for JWT storage — never localStorage. TOTP-based multi-factor authentication can be enforced at the organization level. Role-based access control separates owner, admin, and member permissions.

  • httpOnly cookies for JWT — never localStorage
  • TOTP MFA enforceable at org level
  • Role-based access: owner, admin, member
  • Session refresh with secure token rotation

/UPLOAD SECURITY

File Upload Validation

Every uploaded file undergoes magic bytes validation — we inspect the actual file bytes, not just the extension or MIME type. Files that fail validation are quarantined immediately. Uploads go directly to encrypted storage via signed URLs with 5-minute expiry.

  • Magic bytes validation (not just extension/MIME)
  • Failed files quarantined with error logging
  • 5-minute signed URLs for direct-to-storage upload
  • SHA-256 hash computed for deduplication

/COMPLIANCE

Compliance Status

Framework
Status
Note
SOC 2 Type II
In Progress
Target Q3 2026
GDPR
Compliant
EU data processing documented
CCPA
Compliant
Data deletion on request
ISO 27001
Planned
Post SOC 2 completion

/SUBPROCESSORS

Third-Party Services

Service
Purpose
Location
Supabase
Database, Auth, Storage, Edge Functions
US-East
Anthropic
AI analysis (Claude API)
US
Cloudflare
CDN, DDoS protection, hosting
Global
Stripe
Payment processing
US
Upstash
Rate limiting (Redis)
US-East
Resend
Transactional email
US

Questions About Security?

We're happy to discuss our security architecture in detail. Reach out to our team.

Contact Security Team