Legal · Security

Security.

Security is foundational for an engineering system of record. Here's how we think about it — and what we'll send you on request.

Authentication & access

Credentials login with bcrypt-hashed passwords, JWT sessions, and middleware-enforced route protection. SSO/SCIM available on Enterprise.

Encryption

TLS in transit. AES-256-GCM at rest for user-supplied LLM keys. Database storage is encrypted at rest by the managed Postgres provider.

Auditability

Every state-changing action writes to an immutable ActivityLog so you can reconstruct what happened on any artifact, by whom, when.

Review-gated AI

AI suggestions enter a PENDING state. A human accepts or rejects before any domain record changes. No silent writes.

Tenant scoping

All queries are scoped to the caller's organization. Cross-tenant access requires explicit invitation and project-level membership.

Responsible operations

Managed infrastructure through Vercel plus managed Postgres, least-privilege service accounts, dependency scanning, and patch hygiene as part of routine deploys.

Need a security questionnaire or our compliance status?

For vendor security reviews, SOC 2 status, penetration testing summaries, or incident response procedures, get in touch and we'll send the current pack.