Skip to content

Security

Security practices for the product as it exists today.

Support AI is built around authenticated access, organization-level scoping, and reviewable support workflows. This page summarizes the safeguards that are visible in the current product and codebase.

Transport and infrastructure

  • The production application is intended to run over HTTPS.
  • Authentication and application data are handled through Supabase-backed services and application routes.
  • Data in transit depends on the security guarantees of the application host and the underlying service providers used to operate the product.
  • Data-at-rest protections depend on the infrastructure providers used by the product. We avoid making stronger claims here than the current implementation can support directly.

Authentication and access controls

  • User access is gated by authenticated sessions and email verification before dashboard access is granted.
  • Dashboard routes and many dashboard APIs enforce role-based access controls for owner, admin, and member roles.
  • Organization-scoped access checks are enforced in server-side helpers before protected data is returned.
  • Team invites now support email-based acceptance flows and membership assignment to the correct workspace.

Operational controls

  • Audit logs are available in the dashboard for key actions such as document management, team changes, and other workspace events.
  • Sensitive workflows are described publicly with human approval or escalation boundaries where appropriate.
  • Verification email delivery attempts and failures are logged for supportability.
  • Workspace owners can export data, delete conversations in bulk, configure notification destinations, and manage API keys and webhooks.

What we do not claim

  • This site does not claim SOC 2, HIPAA, ISO 27001, or other certifications unless they are actually in place.
  • This site does not claim automatic retention enforcement where the product currently only exposes a retention setting.
  • This site does not describe customer-managed encryption keys, SSO, or advanced enterprise controls unless they are implemented and documented.