Security & compliance

Users authenticate via Supabase Auth. Application data reads and writes use policies that require membership in the correct organization.

Service role keys are server-only and never ship to the browser.

We target Next.js deployments your team can run on Vercel or compatible hosts. Enterprise customers can request architecture review, DPA, and deeper diligence under NDA.

Operational logging and audit trails are evolving in the product—see the admin audit log where enabled.

For policy language and legal terms, see the Security and Compliance marketing pages and Privacy Policy. This module summarizes engineering intent, not a substitute for your legal review.