Data handling principles

• Workspace isolation. Every row in our Postgres database is workspace-scoped via Postgres Row-Level Security (RLS). Cross-workspace reads are impossible at the database layer — not just at the application layer — which means a bug in our code can’t leak data.
• Append-only audit log. Every meaningful state change writes a typed event to audit_log. The table denies UPDATE and DELETE at the RLS layer so the trail survives even compromised application code.
• PII redaction before AI calls. Every prompt sent to an LLM provider runs through our AI proxy, which scrubs SSN, EIN, Luhn-validated credit cards, emails, phones, and IP addresses before the call leaves our servers. Per-call overrides keep specific categories intact only when extraction explicitly needs them.
• Customer data export. Workspace owners can download a signed ZIP of every workspace-scoped row at any time. No support ticket, no account-deletion paperwork — just a button in Settings.

Encryption

• In transit. All connections use TLS 1.3. HTTP requests redirect to HTTPS; HSTS preload submission pending.
• At rest. Database encryption via Supabase-managed AES-256 (Postgres Transparent Data Encryption). File storage encrypted at rest in Supabase Storage. Both backed by AWS KMS using FIPS 140-2 validated cryptographic modules.
• Secrets. No secrets in Git — pre-commit Gitleaks + CI Gitleaks scan blocks committed credentials. Production secrets live in Vercel encrypted environment variables.

Access control

• Authentication. Supabase Auth — magic link or OAuth (Google, Microsoft). Sessions are HTTP-only secure cookies; rotation on privilege change. MFA enforcement on the Government tier roadmap.
• Authorization. Workspace roles (owner / admin / member). RLS policies enforce role at the database layer, not just the application layer.
• Internal access. AC5 Labs personnel access to production data is restricted to incident response. Access events are logged and notified to the workspace owner under our breach policy. Background checks for personnel with CUI access on the Government tier roadmap.

Sub-processors

We use the following third-party services to operate the suite. Each has a published privacy policy linked below.

Incident response

• Notification target. We commit to notifying affected workspace owners within 72 hours of confirming a security incident, including a description of impact and remediation status.
• Reporting a vulnerability. Email security@ac5labs.com or follow the disclosure policy in SECURITY.md.
• No legal action against good-faith researchers acting within the scope described in our disclosure policy.

Compliance roadmap

The suite is designed to support government-industry buyers, and the certification roadmap reflects that. Each item below is planned but not yet attained — we publish target dates as a sponsoring customer commits.

• SOC 2 Type II — controls in place; observation window opens once we sign customer #1.
• Section 508 / WCAG 2.1 AA — third-party audit on the roadmap; in-house axe-core checks run on every PR.
• FedRAMP Moderate — 12–18 month authorization process; commitment requires a sponsoring federal agency.
• CMMC Level 2 — for CUI-handling customers; SSP + 3PAO assessment process.
• StateRAMP for SLED customers.

Customer rights

• Export anytime. Workspace owners can download a signed ZIP of their entire workspace from /settings/export inside the suite. No support ticket required.
• Delete anytime. Workspace owners can delete their workspace from /settings/danger. Deletion is a hard delete from primary storage; backups age out within 30 days.
• No training on customer data. We do not use customer data to train any AI model — neither ours nor a provider’s. Anthropic’s API has model training disabled by default.