Security & Trust

Every tenant runs on PostgreSQL with Row-Level Security enforced at the database — not just in the application layer. Cross-org access is structurally impossible at the query level.

• Row-Level Security on all 13 tenant schemas: public, vip, lld, produce, rehearse, staffing, sales, budget, suppliers, dispatch, spaces, logistics, intelligence, shared, and platform.
• JWT-backed org enforcement: RLS policies match organization_id against the caller's JWT claim via the current_user_org_id() SQL function. Cross-tenant reads and writes are blocked at the database layer, not just by application convention.
• Anon SELECT revoked: the browser anon-key client returns zero rows from every multi-tenant schema. Only public.organizations and public.org_feature_flags remain anon-readable for login + edge config.
• Org-scoping CI lint: every query against tenant schemas must filter by organization_id. Enforced by npm run lint:org-scoping across all 13 schemas; pre-existing queries are tracked in a grandfathered set being retrofitted incrementally.
• RLS guardrail on every new table: a CI check rejects any migration that creates a table without ENABLE ROW LEVEL SECURITY in the same migration.
• Live RLS audit RPC: a runtime database query catches policy drift on real data, beyond the static migration check. Run before onboarding every new client and quarterly thereafter.
• Per-org branding: JSONB override per organization. One tenant cannot read another's branding, logos, or theme.

• Session cookies: HMAC-SHA256 signed, 12-hour TTL, with sliding-window renewal past 50% lifetime.
• Magic-link admin invites: 72-hour TTL, single-use, hashed at rest. The auth callback writes organization_id to the user's JWT app metadata and refreshes the session, so every authenticated request carries the org claim that powers RLS.
• Seven roles, per-venue scoping: admin, executive_producer, producer, technical_director, venue_manager, stakeholder, viewer. venue_manager roles are filtered to assigned venue_codes.
• 3-layer agent RBAC: role tier → agent type, venue scoping, output data filter. A BOM result for a non-full-access role is stripped of cost, sourcing, and lead-time fields before it leaves the server. CI-enforced — every agent route is verified to call requireAgentAccess() (or an equivalent) at build time.
• No client-side data queries: the browser anon-key Supabase client may only call auth.* and channel(...) for Realtime. All data reads go through server-side API routes, enforced by npm run lint:no-client-queries.
• Realtime subscriptions are org-scoped: every Supabase Realtime channel includes an organization_id filter to prevent cross-tenant event leakage.
• SSO (Okta / SAML): on the roadmap for enterprise tenants. Contact security@showops.ai for availability.

• Audit log: every mutation captured with timestamp, actor, action, before/after snapshot. 24-month retention.
• Centralized audit logging on financial mutations: all 24 budget-module mutation routes write through a centralized helper, eliminating coverage gaps.
• Reversibility for committed financial state: POST /api/budget/sows/[id]/unsigned and POST /api/budget/budgets/[id]/un-actualize undo signed SOWs and actualized line items — admin/EP only, with mandatory audit-trailed reason text.
• CSV export: admins can export the audit log on demand for compliance review or discovery requests.
• Error monitoring: Sentry with per-endpoint sampling — 100% for /api/agents/*, /api/auth/*, /api/sync/*, and /api/cron/*; 20% for everything else. PII scrubbing is applied to logger and Sentry payload paths.
• Uptime: BetterStack external monitoring against /api/health which runs multi-component checks (Supabase circuit-breaker state, sync health, Anthropic API reachability, env validation, schema version).
• Security advisor: Supabase advisor lints run on every release and on a scheduled cron; findings tracked and remediated as PRs.

• TLS everywhere. Nonce-based Content Security Policy in middleware (no unsafe-inline for scripts). HSTS preload.
• CSRF: Origin header validation enforced in middleware for every mutation.
• Field-level encryption (AES-256-GCM) at rest: sensitive BOM cost, sourcing, and lead-time columns are encrypted with a 256-bit key (FIELD_ENCRYPTION_KEY) before insert. Plaintext is never written.
• Encrypted OAuth credentials: external-integration refresh tokens stored in platform.integration_credentials are encrypted with AES-256-GCM via SHOWOPS_SECRETS_KEY. Required to integrate with QuickBooks, Xero, and other accounting back-ends.
• Prompt-injection defense: every untrusted text input passed to a model is sanitized through lib/agent-input-guard.ts. CI-enforced — npm run lint:prompt-injection rejects any LLM-calling file that bypasses the guard without an explicit @prompt-injection-safe justification.
• Single Anthropic SDK choke point: lib/anthropic.ts is the only file allowed to import the Anthropic SDK. A CI guardrail blocks any other import; a runtime test asserts no custom baseURL, no training-beta headers, and no training flags. This is the infrastructural backing for the "no customer data trains any LLM" commitment.
• Rate limiting (per-endpoint tier): auth 5/min, agent 10/min, chat 15/min, upload 20/min, api 60/min.
• Input validation: Zod schemas on every write path. Database-level CHECK constraints and foreign keys enforce integrity.
• Hosting: Vercel (us-east-1, AWS-backed) + Supabase Postgres (us-east-2, AWS-backed). EU data residency available on request for enterprise tenants.

Every sub-processor relationship is governed by a signed DPA. The authoritative list lives in our DPA document and is reviewed whenever a new vendor is added.

• Supabase: Postgres hosting, auth, storage.
• Vercel: application hosting, edge network.
• Anthropic: Claude API for agent workloads.
• Resend: transactional email (magic-link invites, notifications).
• Sentry: error monitoring and session replay (masked, opt-in).
• Google Cloud: service-account-backed Google Sheets sync for venue LLD data.
• Microsoft (Graph API): optional, per-tenant. OneDrive / SharePoint speaker content ingestion when Microsoft 365 is enabled as a content source.

See the Data Processing Addendum for the full inventory and contractual terms.

• Written runbook: severity tiers (SEV-1 existential, SEV-2 material, SEV-3 localized), 15-minute first-response playbook, communication templates, and rollback procedures.
• Backup runbook: documented RPO (1 minute) / RTO (30 minutes). Weekly automated backup verification. Quarterly restore drill procedure.
• Customer notification: we notify affected customers within the timelines specified in your Data Processing Addendum. For personal data breaches, notification within 72 hours is standard.

What we can claim today:

• SOC 2-aligned architecture. Controls are mapped to the five Trust Services Categories (CC, Availability, Confidentiality, Processing Integrity, Privacy) in our internal gap analysis. The majority of CC and CC-adjacent controls are met with evidence running in production; remaining gaps are tracked explicitly in the "cannot claim yet" list below and in our internal working document.
• GDPR-aligned. Data subject request flows for export and deletion are live and can be triggered by customer admins without engineering involvement.
• Published: Privacy Policy, Terms of Service, Data Processing Addendum, Acceptable Use Policy, Cookie Policy.

What we cannot honestly claim yet:

• SOC 2 Type 1 or Type 2 attestation. No third-party attestation yet. Type 1 is on the roadmap pending engagement with a qualified CPA firm. Type 2 requires a 6–12 month observation period after Type 1.
• First restore drill executed. Procedure is documented and staged; the first production dry run is scheduled before our first enterprise-tier customer goes live.
• 24/7 on-call rotation. Today we run a single on-call pager. Second-pager handover is a post-first-hire commitment.

We treat AI as a product surface with the same controls as any other — RBAC, audit logging, input validation, rate limiting — plus commitments specific to language models. Each commitment below is traceable to code, not policy.

• Per-tenant learning, no pooled training. Your data trains your ShowOps.AI; never trains a cross-tenant model, never feeds an industry-wide corpus. Vendor LLM calls (Anthropic) run under commercial no-training terms. Backed by the SDK choke point above and a learning-scope CI lint that prevents code outside the learning layer from touching per-tenant adaptation tables.
• Human-in-the-loop by default. Every consequential agent action creates a proposal in vip.agent_proposals for human approval, not a direct mutation. Proposals expire in 7 days.
• No autonomous financial decisions. SOW signatures, budget commits, work-order dispatch, and change-order approvals all require human sign-off. Agent routes are CI-blocked from directly mutating the budget schema.
• No surveillance of workers. Worker-monitoring column patterns (location, GPS, screenshot, keystroke, productivity score) are CI-blocked in any staffing migration.
• Explicit AI labeling. Anything written by an agent is labeled in the UI as AI-generated and pending review.
• Bias awareness. Ranking features (vendor scoring, crew assignment) return their feature signals alongside the score, so the reviewer sees what drove the recommendation.
• Tenant-controlled deletion. DELETE /api/admin/learned-patterns resets adaptive thresholds for the calling tenant within 24 hours, with one audit-log row per reset. Coverage extends as additional learned-state tables ship in upcoming phases.

Full pillars (ethical, responsible, secure, private), the complete ten-commitment list with code-level traceability, sub-processor table, per-tenant learning architecture, and honest residuals at /legal/ai-governance. Pillar narrative also at /safety.

If you're running a security questionnaire, a vendor-risk assessment, or a due-diligence review, we'll answer each control question with a citation — the control we have, the evidence, the gap where one exists, and the timeline. Email security@showops.ai with your framework of choice (SOC 2, ISO 27001, CAIQ, your own) and we'll respond within two business days.

A lie on a security questionnaire is a breach-level event when the customer discovers it later. An honest "not yet, here's our plan" is a negotiation point, not a deal-killer. We prefer the latter.