Security
Security practices for the product as it exists today.
Support AI is built around authenticated access, organization-level scoping, and reviewable support workflows. This page summarizes the safeguards that are visible in the current product and codebase.
Transport and infrastructure
- The production application is intended to run over HTTPS.
- Authentication and application data are handled through Supabase-backed services and application routes.
- Data in transit depends on the security guarantees of the application host and the underlying service providers used to operate the product.
- Data-at-rest protections depend on the infrastructure providers used by the product. We avoid making stronger claims here than the current implementation can support directly.
Authentication and access controls
- User access is gated by authenticated sessions and email verification before dashboard access is granted.
- Dashboard routes and many dashboard APIs enforce role-based access controls for owner, admin, and member roles.
- Organization-scoped access checks are enforced in server-side helpers before protected data is returned.
- Team invites now support email-based acceptance flows and membership assignment to the correct workspace.
Operational controls
- Audit logs are available in the dashboard for key actions such as document management, team changes, and other workspace events.
- Sensitive workflows are described publicly with human approval or escalation boundaries where appropriate.
- Verification email delivery attempts and failures are logged for supportability.
- Workspace owners can export data, delete conversations in bulk, configure notification destinations, and manage API keys and webhooks.
What we do not claim
- This site does not claim SOC 2, HIPAA, ISO 27001, or other certifications unless they are actually in place.
- This site does not claim automatic retention enforcement where the product currently only exposes a retention setting.
- This site does not describe customer-managed encryption keys, SSO, or advanced enterprise controls unless they are implemented and documented.