Security
Executive intelligence runs on trust. The attestation comes first; the underlying controls follow.
SOC 2 Type II complete.
Audited by Sensiba LLP. Continuous controls monitoring through Vanta. Audit period December 17, 2025 through March 18, 2026.
The full report is available under mutual NDA. Verify our controls and request the report at our trust center, or by email at [email protected].
Encryption
- At rest: AES-256-GCM across all stored data.
- In transit: TLS 1.3 on every network hop.
- Token storage: OAuth refresh tokens encrypted with AES-256-GCM before persistence.
Multi-tenant isolation
- Org-scoped queries: Every database read is filtered by an org_id derived from the verified JWT, never from client input.
- Cache isolation: All caches are org-scoped; org switches clear cached state.
- Trust boundaries: Backend services fail closed if org context is missing or unverifiable.
- Continuous discovery testing: CI fails any code path that bypasses org_id filtering.
Authentication and authorization
- OAuth 2.0: Industry-standard authentication with secure token management.
- Read-only scopes: We request the minimum OAuth scope on every integration. No write permissions on GitHub, Slack, Jira, or calendar sources.
- Token rotation: Automatic refresh 10 minutes before expiry.
- Multi-factor authentication: Available through Auth0.
- Passwordless email OTP: Primary end-user authentication path; no shared password reuse risk.
Infrastructure
- Cloud hosting: AWS with automatic backups and disaster recovery.
- Database: ArangoDB with encryption at rest and role-based access controls.
- Network security: Virtual Private Cloud isolation across services.
- Rate limiting: Per-organization throttles to prevent abuse and noisy-neighbor effects.
Privacy and data minimization
- Read-only: We never write back to your source systems.
- Minimization: We pull only the data needed to produce the brief.
- Deletion: 30-Day Finding data is deleted after 30 days, or sooner on request. Pilot data is deleted on pilot close.
- No data sales: We never sell, share, or expose customer data to third parties.
- No model training on customer data: LLM calls run as inference only; customer content is not used to fine-tune any model.
- GDPR and CCPA compliant: DPA available day one. EU and California rights honored on request.
Incident response
If a security incident occurs:
- Immediate containment and investigation.
- Affected users notified within 72 hours.
- Platform providers notified within 48 hours.
- Detailed incident report provided.
- Remediation steps and prevention measures implemented and documented in Vanta.