Skip to main content

Security & Architecture

Built for the enterprise InfoSec reviewer.

This is the technical companion to /safety. Architecture diagrams, authentication details, audit retention, compliance posture, and the security questionnaire download. If your review needs a control ID we haven't covered, ask security@showops.ai — we respond in one business day.

Architecture

Isolation enforced at the database, not the UI.

Every tenant boundary is enforced at the lowest layer possible. Row-Level Security on every table. Org-scoping across every query path. No UI-layer filters that can be bypassed with a URL trick.

Tenancy & data isolation

Row-Level Security (RLS) on every table across all 13 tenant schemas (public, vip, lld, produce, rehearse, staffing, sales, budget, suppliers, dispatch, spaces, logistics, intelligence, shared, platform). RLS policies match organization_id against the caller's JWT claim via current_user_org_id() — cross-tenant reads and writes are blocked at the database, not just the API. The browser anon-key client returns zero rows from every multi-tenant schema. Every server-side query is filtered by organization_id, verified by an org-scoping CI lint covering all 13 schemas. New tables require RLS in the same migration (CI guardrail).

PROOF →JWT-backed RLS via current_user_org_id() · anon SELECT revoked · org-scoping CI lint

Per-tenant learning boundary (Shape B)

Multiple independent guards. App-level scoped client wrapper (orgId is a constructor invariant). CI grep (check-learning-scope.ts) fails the build if any file outside lib/learning/ touches the schema. DB-level strict RLS with FORCE ROW LEVEL SECURITY and session-var policy. The Anthropic SDK has exactly one allowed import site (lib/anthropic.ts), enforced by check-anthropic-choke.ts; check-no-training.ts asserts no fine-tuning headers. No pooled training. No cross-tenant queries. Ever.

PROOF →lib/learning/client.ts · scripts/ci/check-learning-scope.ts · learning schema FORCE RLS

Hosting & encryption

All data at rest encrypted by Supabase (AES-256). All transport TLS 1.3 minimum, HSTS preload. CSP with per-request nonce (no unsafe-inline scripts). Sensitive financial fields (BOM cost, sourcing, lead times) carry an additional application-layer AES-256-GCM encryption layer at rest with a separately-managed key. External-integration OAuth refresh tokens encrypted with AES-256-GCM via a dedicated secrets key. No customer data on Vercel edge beyond CDN-cached public marketing pages.

PROOF →Vercel (US primary) · Supabase (US East) · TLS 1.3 everywhere

Data residency

All customer data processed and stored in US regions (Supabase us-east, Vercel primarily iad1). EU data residency is on the roadmap for tenants with regulatory need — scope and timeline shared on request.

PROOF →US-only today · EU on roadmap

Authentication & access control

7 roles, per-venue scoping, agent RBAC.

Every access decision runs through three layers: role → module → venue scope. Agents add a fourth: role → agent access → venue scope → data filter.

RoleAccess tierVenue scope
adminFull · all modules · all venuesOrg-wide
executive_producerFull · all modulesOrg-wide
producerFull · all modulesOrg-wide
technical_directorTechnical tier · LLD + dispatchOrg-wide
venue_managerScoped read + check-inPer-venue filtered
stakeholderSummary read · milestones + alertsOrg-wide (filtered)
viewerSupport read-only · no infra dataOrg-wide (minimal)

Session management

HMAC-SHA256 signed cookies, 12-hour expiry, sliding-window renewal at 50% lifetime (6h). Service role key never leaves the server. Magic-link admin invites (72h TTL, single-use, hashed at rest) replace password-based admin onboarding entirely.

SSO — Okta / SAML 2.0

On the roadmap for enterprise tenants. Supabase SAML 2.0 integration. SCIM provisioning planned to follow. CT/NEP is the reference implementation. Timeline shared on request.

Audit & monitoring

Before, after, when, who.

Every mutation writes an audit record with before/after snapshots. 24-month retention. CSV export on request. No "trust me" compliance posture — the log is the proof.

Retention

24 months

Every audit record kept for 24 months with before/after snapshots. CSV export available on request for export-from-retention.

Coverage

100% of mutations

Every write through the API writes an audit record. Background jobs (sync, reconcile) also audit. Read access logged at route level.

Agent runs

Fully traceable

Every AI agent invocation logged in vip.agent_runs with inputs, outputs, prompt version, model, token counts. Runs link back to the data they cited.

Monitoring

Sentry + BetterStack

Sentry for errors + performance (per-endpoint sampling). BetterStack external uptime + paging. Supabase security advisor runs continuously.

Compliance posture

SOC 2-aligned. Attestation on the roadmap.

SOC 2-aligned architecture with completed internal gap analysis. The bulk of Common Criteria controls met today with running-in-production evidence; remaining gaps tracked explicitly in our internal working document. Type 1 attestation on the roadmap. We'll share the gap analysis under NDA on request.

Published today: DPA, AUP, Privacy, Cookies, Terms, Security (this page), Safety. GDPR posture follows the DPA. CCPA handled via Privacy policy.

Ask for a control-by-control mapping at security@showops.ai.

Incident response

How we respond when something breaks.

Published disclosure timeline, published postmortem policy, one SLA for every reporter — internal, researcher, or enterprise reviewer.

Disclosure SLA

1 business day

Every report to security@showops.ai gets a human response in one business day. Coordinated disclosure welcomed — credit given with your permission.

Incident classification

P1–P4

P1 (data exposure / outage > 15min) — immediate page. P2 (degraded service) — same-hour. P3/P4 — scheduled triage. Affected tenants notified per DPA terms.

Postmortems

Published

P1 / P2 incidents get a blameless postmortem shared with affected tenants within 7 days. Root cause, timeline, remediation, structural changes.

Security Contact

For the reviewer digging in — ask for what you need.

Control mappings (CAIQ-lite, SIG-lite, SOC 2), network diagrams, sub-processor agreements, pen-test summaries (when available), DPA terms. We'll share what we have and flag what we don't. If your review identifies a gap we haven't addressed, that's exactly what we want to hear.

Security — ShowOps.AI · ShowOps.AI