Security & data protection

Tenant isolation

• Row-Level Security on every table — each firm’s data is sealed off at the database layer.
• Multi-tenant by org → client account (sub-company) → document type.

Confidential document handling

• Zero-retention: raw documents are processed and then deleted, not kept on our infrastructure.
• Transient, isolated processing in a no-network sandbox — nothing can exfiltrate or persist.
• History stores only aggregates (match rate, counts, field names) — never the values.

Staff access — break-glass, tiered, audited

• No standing access. Staff can only reach items that failed or were escalated for review.
• T0 (script, no PII): just-in-time + immutable audit log.
• T1 (parsed content): requires a reason, audit-logged, re-derived in memory and streamed — never stored.
• T2 (raw PDF): break-glass only — explicit customer consent + manual approval.

Application & API security

• Defense-in-depth admin gating; server-set roles users cannot edit.
• Parameterized SQL; validated inputs; signed payment + inbound webhooks; hashed API keys.
• PDF malware scanning + encrypted-file detection before any document is parsed.
• Per-action rate limiting and upload caps.

On the roadmap

Envelope encryption at rest for stored reports, and customer-managed keys (BYOK) for enterprise tenants who require provider-blind storage.