A complete posture summary — infrastructure, encryption, access controls, backups, vulnerability management, and incident response. Use this page to answer vendor security questionnaires (SIG, CAIQ) or as a starting point for a one-page security review.
| Application hosting | Vercel (United States) — Next.js 15 runtime on serverless edge. |
| Database + storage | Supabase (United States) — managed Postgres with workspace-scoped Row-Level Security on every tenant table. |
| AI processing | Anthropic Claude (United States) — customer data not used to train models per Anthropic's API terms. |
| Background workers | Railway (United States) — signals worker + PACA enrichment as scheduled Python jobs. |
| Payments | Stripe (United States) — PCI-DSS Level 1 service provider. Card data never touches our infrastructure. |
| Observability | Sentry (United States) — error tracking. PII-scrubbed by default in our configuration. |
| Resend (United States) — transactional email only. No marketing list scraping. |
| In transit | TLS 1.2+ on all customer-facing endpoints. HSTS enforced by Vercel. |
| At rest | AES-256 at the database layer (Supabase managed). Storage buckets encrypted at rest. |
| Backups | Encrypted at rest with the same provider-managed keys. |
| Secrets | Stored in Vercel Environment Variables (encrypted at rest), never committed to the repo. Per-environment scoping. |
| API tokens | SHA-256-hashed before persistence. Cleartext shown once at creation. |
| Workspace isolation | Row-Level Security on every tenant table. Workspace_id scoping verified by Supabase Auth — cross-workspace reads are impossible at the database layer. |
| Role hierarchy | Owner / Manager / Rep / Viewer. Enforced both in RLS policies AND at the route handler layer. |
| Audit log | Every create/update/delete on tenant tables logged with actor, timestamp, before/after JSON. 90-day default retention (workspace-configurable up to 10 years). |
| Personnel access | Least-privilege; documented justification required for production access. Service-role key rotated on personnel changes per SECRETS_ROTATION.md. |
| SSO support | SAML 2.0 with Okta, Entra ID, Google Workspace, OneLogin, generic SAML. Per-workspace email-domain routing. |
| 2FA | Supabase Auth supports 2FA at the user level (TOTP). Enforced workspace-wide via Pro tier. |
| Customer data ownership | Customer retains ownership at all times. We process only to provide the service. |
| Data residency | United States today. EU/UK residency available on Enterprise plan via Supabase region selection. |
| Data export | Self-serve export available 30 days post-cancellation. CSV via admin UI; full JSON via API. |
| Retention after termination | 30-day window for export. Production rows permanently deleted thereafter. Backups age out per the rotation schedule (7-30 days). |
| Sub-processors | Listed publicly in our DPA. 30-day notice before adding or replacing a sub-processor. |
| AI training opt-out | Customer data never used to train AI models. Anthropic's API terms explicitly prohibit this. |
| Dependency scanning | Automated via npm audit + GitHub Dependabot. Critical CVEs addressed within 7 days; high within 30. |
| Source code | Private GitHub repository with branch protection on main + required PR review. |
| Security testing | Internal pre-release review on every change. Third-party penetration testing planned ahead of SOC 2 Type II. |
| Disclosure | Responsible-disclosure email at security@example.com. Bug bounty program planned. |
| Detection | Sentry monitors application errors + performance. /api/healthz exposes env-presence checks for external uptime monitors. |
| Notification | Customers notified within 72 hours of confirmed personal-data breach affecting their workspace. Includes nature, scope, mitigation per our DPA Section 7. |
| DR / RTO / RPO | Documented in BACKUP_RECOVERY.md. RTO ~30 min on the happy path (DB restore + Vercel rollback); RPO 24 hours on free tier, 1 minute on Supabase Pro (PITR). |
| Quarterly drill | DR restore tested against a disposable Supabase project. Latest drill date logged in BACKUP_RECOVERY.md. |
| SOC 2 | Not yet certified. Type II audit planned in [TIMELINE]. Vendor questionnaire available on request. |
| GDPR | DPA available at /dpa. Standard Contractual Clauses for EU/UK transfers. |
| CCPA | Privacy Policy describes consumer rights at /privacy. |
| HIPAA | Not in scope today — no PHI processing. |
| PCI-DSS | Out of scope — Stripe is our PCI-compliant payment processor; card data never touches our systems. |
We welcome responsible disclosure. If you've found a security issue:
For enterprise reviews, we provide on request:
Email security@example.com with your request.