Data protection
- TLS 1.3 in transit on every connection between browser, API, database, and file store.
- AES-256 at rest for database (Supabase managed) and file storage (encrypted object store).
- Backup retention — daily snapshots with 30-day retention, point-in-time recovery to any second within the last 7 days.
- Regional residency — North America only (Canada and US AWS regions). No transatlantic replication.
Access control
- JWT auth via Supabase Auth; tokens expire on a short window and refresh transparently.
- Row-level security (RLS) on every Postgres table — a user can only read rows where
auth.uid()matches the project membership. - Role hierarchy: FREE / INDEPENDENT_ENGINEER / SMALL_TEAM / COMPANY_ENTERPRISE / CONTRACTOR / GC_DESK / ADMIN — each with a defined RLS policy.
- MFA available for all roles; required for ADMIN.
- SSO (SAML / OIDC) available on the Enterprise plan.
Audit log
Every state change writes an append-only row to audit_log with actor, action, resource, diff, ip, user_agent, and a server-side timestamp. There is no API endpoint to delete or modify a logged row — the change log is immutable by design, not omission.
Engineering trace + security trace. Two separate streams: TraceStep records why a number is the value it is (engineering); audit_log records who touched what, when (security). Both are retained for the life of the project and beyond.
Application security
- OWASP Top-10 coverage with regular dependency scans, secret scanning on every push, and CI gates that block known-vulnerable dependencies.
- CSP, HSTS, X-Frame-Options set via Helmet on every API response.
- Rate limiting per IP and per user; brute-force protection on login.
- Input validation with class-validator on every API boundary; SQL injection prevented by parameterized queries (Prisma).
- Output sanitisation in PDFs and HTML reports — no untrusted user content reaches a render context.
Operations
- Infrastructure: Railway (API), Supabase (DB + Auth + Storage), Cloudflare Pages (CDN) — all SOC 2 vendors.
- Logging & monitoring: structured JSON logs with PII redaction; alerts on anomalous error rates or auth failures.
- Deployment: CI-gated, signed releases; staging mirrors production schema and policies.
- Secrets: never in code or logs; stored in Railway/Cloudflare secret managers with rotation.
Incident response
- Detection via on-call alerting plus daily anomaly review.
- Containment SLO: 1 hour from confirmed incident to access lock-down.
- Disclosure: affected customers notified within 72 hours of confirmed data event, per North American data-breach norms.
- Postmortem with root cause and corrective actions, published to affected customers.
Report a vulnerability
If you believe you have found a security issue, email [email protected] with reproduction steps. We acknowledge within one business day, do not pursue legal action against good-faith research, and credit reporters when remediation ships (with consent).