Preparing page

Loading product graph, proof, and adoption context.

Preparing tokens&

Loading the next builder or enterprise surface.

Newsletter Talk to sales

Security

Security posture buyers can review before a pilot.

The platform is now prepared for enterprise security conversations: route-level hardening, RLS-backed database isolation, server-only privileged keys, production verification, and clear incident and data-handling boundaries.

Start security review Open trust center

Hosting: Vercel; Next.js production deployment
Database: Supabase; single active directory project
Checks: Clean; security advisor returned zero lints

Security scope

Controls buyers usually ask for first

These controls describe the current product and operational posture. Final legal commitments belong in the MSA, DPA, order form, and SLA.

Workspace gated

Access control

Enterprise workspaces are permissioned by organization. Admin and privileged workflows route through authenticated server handlers, not public browser secrets.

Verified

RLS enforcement

Supabase row-level security is enabled across the production public and enterprise tables, with policies reviewed through Supabase advisors.

Server-side

Secret hygiene

Service-role keys, cron secrets, provisioning secrets, and integration encryption keys are expected only in server/runtime environments.

Live

Transport security

Production responses include HTTPS-only platform delivery, HSTS, frame protections, content-type protections, and a restrictive frame-ancestors policy.

Tested

Audit-ready actions

Enterprise routes and scripts classify admin, cron, secret, callback, public, and session-scoped flows so risky endpoints stay visible during review.

Present

Data export/deletion path

Enterprise schemas include data request, audit, deletion cron, export job, and privacy-oriented data structures for customer review.

Incident response

Operational response model

Enterprise buyers will ask what happens when something goes wrong. This is the response model the team can operationalize.

1
Triage
Classify customer impact, affected systems, severity, and whether credentials or customer data may be involved.
2
Contain
Disable affected cron, API, or integration paths; rotate keys; pause exports or webhooks if needed.
3
Recover
Deploy the fix, verify production checks, inspect logs, and replay safe queued work from durable sources.
4
Notify
Provide customer-facing status, timeline, impact, remediation, and follow-up actions under the contract notice process.

Buyer-safe claims

Security claim guardrails

These keep sales, product, and the website aligned with what can safely be represented today.

Do not put Supabase service-role keys in NEXT_PUBLIC variables.
Do not promise SOC 2, HIPAA, or ISO certification unless the current artifact exists.
Do not expose private account intelligence in public proof pages or share cards.
Do not replay enterprise migrations into the public schema; enterprise data lives in the enterprise schema.
Do not run destructive database rollback actions without a recovery source and explicit approval.
Do not treat sample reports as verified live evidence unless the source data is labeled.

Security questionnaire

Answer from this page plus the enterprise packet; route edge cases to sales review.

Escalation

Contract should name severity levels, response targets, and notification contacts.

Residual risk

Custom domain, signed legal documents, and contract-specific SLA are still business operations, not code.

Security review can start now.

The product has enough public evidence to begin review, and the final commitments can be placed into the enterprise order form.

Talk to sales Open packet

Preparing page

Loading product graph, proof, and adoption context.

Security

Security posture buyers can review before a pilot.

Start security review Open trust center

Hosting: Vercel; Next.js production deployment
Database: Supabase; single active directory project
Checks: Clean; security advisor returned zero lints

Security scope

Controls buyers usually ask for first

These controls describe the current product and operational posture. Final legal commitments belong in the MSA, DPA, order form, and SLA.

Workspace gated

Access control

Enterprise workspaces are permissioned by organization. Admin and privileged workflows route through authenticated server handlers, not public browser secrets.

Verified

RLS enforcement

Supabase row-level security is enabled across the production public and enterprise tables, with policies reviewed through Supabase advisors.

Server-side

Secret hygiene

Service-role keys, cron secrets, provisioning secrets, and integration encryption keys are expected only in server/runtime environments.

Live

Transport security

Production responses include HTTPS-only platform delivery, HSTS, frame protections, content-type protections, and a restrictive frame-ancestors policy.

Tested

Audit-ready actions

Enterprise routes and scripts classify admin, cron, secret, callback, public, and session-scoped flows so risky endpoints stay visible during review.

Present

Data export/deletion path

Enterprise schemas include data request, audit, deletion cron, export job, and privacy-oriented data structures for customer review.

Incident response

Operational response model

Enterprise buyers will ask what happens when something goes wrong. This is the response model the team can operationalize.

1
Triage
Classify customer impact, affected systems, severity, and whether credentials or customer data may be involved.
2
Contain
Disable affected cron, API, or integration paths; rotate keys; pause exports or webhooks if needed.
3
Recover
Deploy the fix, verify production checks, inspect logs, and replay safe queued work from durable sources.
4
Notify
Provide customer-facing status, timeline, impact, remediation, and follow-up actions under the contract notice process.

Buyer-safe claims

Security claim guardrails

These keep sales, product, and the website aligned with what can safely be represented today.

Do not put Supabase service-role keys in NEXT_PUBLIC variables.
Do not promise SOC 2, HIPAA, or ISO certification unless the current artifact exists.
Do not expose private account intelligence in public proof pages or share cards.
Do not replay enterprise migrations into the public schema; enterprise data lives in the enterprise schema.
Do not run destructive database rollback actions without a recovery source and explicit approval.
Do not treat sample reports as verified live evidence unless the source data is labeled.

Security questionnaire

Answer from this page plus the enterprise packet; route edge cases to sales review.

Escalation

Contract should name severity levels, response targets, and notification contacts.

Residual risk

Custom domain, signed legal documents, and contract-specific SLA are still business operations, not code.

Security review can start now.

The product has enough public evidence to begin review, and the final commitments can be placed into the enterprise order form.

Talk to sales Open packet

Security posture buyers can review before a pilot.

Controls buyers usually ask for first

Access control

RLS enforcement

Secret hygiene

Transport security

Audit-ready actions

Data export/deletion path

Operational response model

Triage

Contain

Recover

Notify

Security claim guardrails

Security questionnaire

Escalation

Residual risk

Security review can start now.

Security posture buyers can review before a pilot.

Controls buyers usually ask for first

Access control

RLS enforcement

Secret hygiene

Transport security

Audit-ready actions

Data export/deletion path

Operational response model

Triage

Contain

Recover

Notify

Security claim guardrails

Security questionnaire

Escalation

Residual risk

Security review can start now.