Security & Trust

• Email and password sign-in with industry-standard hashing.
• Optional Google OAuth, gated to pre-approved emails.
• Public account creation is disabled — access is invitation-only via the pilot program.
• Session tokens are short-lived and refreshed transparently.

• Role-based access control inside each organization (admin / member).
• Platform admin role is stored in a separate, server-validated table — never client-controlled.
• Every privileged server function authorizes the caller before acting.

Every customer record carries an organization ID. Row-Level Security policies are enforced at the database layer so that a user from one organization cannot read or write another organization's data, even if a request reaches the API directly. Tenant isolation is validated through documented testing procedures and ongoing verification.

• Sensitive actions (pilot approvals, role changes, admin operations) are written to an append-only audit log.
• Logs include actor, action, target, and timestamp.
• Logs are retained for operational review and security investigation.

• Encryption in transit (TLS) for all client and server traffic.
• Encryption at rest for the primary database and managed storage.
• Secrets and API keys are stored in a managed secret store — never in source.
• AI prompts are constructed server-side and constrained to records the user is authorized to read.

• Dependency scanning and automated security linting on every change.
• Least-privilege service roles; service-role keys never reach the browser.
• Public webhook and API endpoints verify signatures before processing payloads.
• Incident response: we will notify affected organizations of any confirmed security incident materially affecting their data.

If you believe you have found a security issue, please contact our contact page. Please do not publicly disclose the issue until we have had a chance to investigate and remediate.