01
Sandboxed parsers
Every AI-generated parser runs in a hardened Docker container with no network, read-only FS, locked-down syscalls, and a 30-second soft timeout. The parser process can't reach your data store, your secrets, or the host.
Home/Security
Defense in depth, not by adjective.
Six controls that ship in every plan. Diligence-ready under NDA.
02
Multi-tenant isolation
Every query carries an org_id and is filtered by a SQLAlchemy event hook before it leaves the app. Cross-tenant reads are impossible by construction, not by convention.
03
Argon2id everywhere
Passwords and API keys are hashed with Argon2id (m=64MB, t=3, p=4). Plaintext keys are visible exactly once, in the create-key dialog. After that we keep a SHA-256 lookup hash and the Argon2id verifier — never the original.
04
Encrypted at rest, encrypted in transit
TLS 1.3 to the API. Postgres at rest is encrypted on Neon's managed disks; object storage uses SSE-S3 on Cloudflare R2.
05
Hash-chained audit log
Every owner-level action — login, key create, member invite, plan change, settings change, file upload, transformation — writes an immutable audit row with a SHA-256 of the previous event. Break one and the chain visibly fractures.
06
Backups + restore
R2 versioning + 30-day lifecycle on every input/output bucket. Daily Postgres pg_dump → R2 with restore drill documented in docs/runbooks/backups-and-restore.md.
Want the full diligence pack?
SOC 2 Type II report, ISO 27001 certificate, penetration-test summary, sub-processor change feed, DPA. We send under NDA — usually same-day.