Safe by Default
ShowOps.AI is built for professionals who can't afford a data surprise. Ethical, responsible, secure, private β designed in, not bolted on.
The Marquee Claim
Your data trains your system.
Never anyone else's.
ShowOps.AI learns per-tenant β your venues, your crew patterns, your workflows. No pooled training. No cross-tenant aggregation. No vendor LLM trained on your data, ever. Learned patterns are deletable with one action, within 24 hours.
Four Pillars
Every AI decision at ShowOps.AI runs through these four lenses. When in doubt, the pillars override convenience and velocity.
We do not build features whose primary value is monitoring people. We surface bias in ranking β every vendor score, crew suggestion, and conflict resolution comes with the features that drove it. We do not automate decisions that meaningfully affect people without a human in the loop.
Agents propose; humans decide. Every consequential action creates a proposal (reviewable at /api/agents/proposals), not a direct mutation. Autonomy is earned per capability through explicit review β not granted by default.
Row-Level Security on every table. 3-layer RBAC for agents: role β agent access β venue scope β data filter. Prompt-injection defense on every untrusted input (lib/agent-input-guard.ts). Audit logs with before/after snapshots, 24-month retention.
Per-tenant learning, no pooled training. Your data trains your system, never anyone else's. Data minimization: only collect what the feature needs. Sub-processors (Supabase, Anthropic, Vercel, Resend, Sentry, plus optional integrations like Microsoft Graph) listed in the DPA; each role in the data flow documented. No third-party analytics that fingerprint users.
Per-Tenant Adaptation
Adaptation is on by default, disclosed at onboarding, and disableable in one action. Here's the exact scope.
β What adaptation uses
β What adaptation does NOT use
The revocability commitment: every tenant has a first-class "Delete my learned patterns" action that returns ShowOps.AI to baseline for their organization within 24 hours. No support ticket. No sales retention conversation. A button.
The Meta-Loop
One event's rhythm is six phases. What happens across events is a loop of four. Every show adds to your tenant's context β your system compounds from event to event, and the next one starts sharper than the last.
Every event adds to your tenant's context. Venue layouts, crew patterns, vendor networks, schedule rhythms β captured as structural signal, not raw content.
The system adapts inside your boundary. Preferences noted. Corrections absorbed. Patterns recognized. No cross-tenant pooling, ever.
Next event runs with more of your context embedded. Smarter recommendations from day one. Less time spent teaching the system what your team already knows.
Variance, outcomes, what didn't work. Fed back into the next capture β the loop closes and starts again, sharper.
The motion is real β and it's strictly per-tenant. No cross-customer pooling. No industry-wide corpus. Your loop stays inside your boundary, and you can stop it or reset it in one click.
Ten Commitments
Every commitment below is traceable to a migration, a library, or a test. If you need the exact file and line, ask your security reviewer to email security@showops.ai β we'll send it.
Your data trains your ShowOps.AI β adapting to your venues, crew patterns, preferences. Never trains a cross-tenant model, never pools with another tenant's data, never feeds an industry-wide corpus.
PROOF βlib/anthropic.ts runs under commercial no-training API terms. Per-tenant adaptation state is org-scoped and isolated at the learning layer. No fine-tuning pipeline crosses tenant boundaries.
Every consequential agent action creates a proposal, not a direct mutation. Proposals expire in 7 days. Role-gated approve/reject.
PROOF βvip.agent_proposals (migration 022), /api/agents/proposals endpoint.
Agents receive only the data their role and scope allow β not a tenant-wide data fishing license.
PROOF βlib/agent-rbac.ts β 3-layer RBAC (role β agent β venue β data filter). getChatContextDepth(role) limits LLM input by role.
Untrusted input (user text, imported files, vendor data) is treated as hostile. Sanitized and flagged before reaching any model.
PROOF βlib/agent-input-guard.ts + tests/lib/agent-input-guard.test.ts.
Every agent invocation is logged with inputs, outputs, prompt version, token counts, and model. Outputs link back to the source data they cited.
PROOF βvip.agent_runs + lib/agent-run.ts wrapper. Audit log in lib/audit.ts with before/after snapshots (24-month retention).
Anything written by an agent is visibly labeled in the UI. Users always know when they're reading machine output vs. human output.
PROOF βcomponents/lld/agents/agent-results.tsx renders the "AI-generated, pending review" badge. Proposals carry status pills through the review flow.
Budget commits, SOW signatures, work-order dispatch, and change-order approvals all require human sign-off. Agents recommend; humans commit.
PROOF βBudget agent (platform:margin_advisor) is advisory only. SOW signature gated by canSignSow (exec-only). Actualization triggered by human-confirmed WO completion.
Ranking features expose their signals and allow override. Every vendor score comes with the features that drove it.
PROOF βlib/supplier-scoring.ts returns { score, signals }. Staffing optimizer surfaces "why this suggestion" to the reviewer.
Staffing tracks certifications, availability, and costs β not location, keystrokes, or behavior.
PROOF βstaffing schema has no location, screenshot, or activity-tracking columns. PR-template checklist on every staffing migration.
Every agent-initiated mutation has an undo path: a revert action, an audit-log-backed manual reversal, or an explicit out-of-band process.
PROOF βlib/audit.ts captures before/after snapshots on every mutation. Proposal rejection is zero-cost (nothing mutated).
Sub-Processors
The full list of third-party services that process ShowOps.AI customer data, what each one does, and where it runs. Full terms live in our DPA.
| Vendor | Role | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | US (East) |
| Anthropic | LLM API (commercial no-training terms) | US |
| Vercel | Application hosting, edge network | Global CDN, US primary |
| Resend | Transactional email delivery | US |
| Sentry | Error monitoring, performance tracing | US |
| Google Cloud | Service-account-backed Google Sheets sync for venue LLD data | US |
| Microsoft (Graph API) | Optional, per-tenant β OneDrive / SharePoint speaker content ingestion | US / EU (tenant region) |
Known Limits
Honest assessment. Every item below is a gap we're actively working on β and a promise we'll tell you before we claim to have closed it.
DELETE /api/admin/learned-patterns currently resets adaptive thresholds (the tunable parameters that learn from your teamβs overrides) within 24 hours. As additional learned-state tables ship in upcoming phases (metric baselines, template suggestions), the same endpoint extends to cover them.
Internal quarterly; external annual on the roadmap.
SOC 2-aligned architecture with completed internal gap analysis. Type 1 attestation on the roadmap.
Today the production platform runs on Vercel us-east-1 and Supabase us-east-2. EU residency available on request for enterprise tenants β contact security@showops.ai.
On the roadmap for enterprise tenants. Contact security@showops.ai for availability.
Security Contact
We respond to security reports within one business day. Coordinated disclosure welcomed. If a claim on this page doesn't match what you've found in the product or the DPA, we want to know β and we'll fix the claim or the product.