Security at Trendnaut

TLS 1.3 enforced. HSTS preload-eligible (2-year max-age), HTTPS upgrade applied to all subdomains.

Supabase Postgres uses AES-256 encryption at rest (default cluster-level encryption).

Sensitive fields (OAuth refresh tokens, webhook signing keys, MFA secrets) are envelope-encrypted with AES-256-GCM before storage. The encryption key (ENVELOPE_KEY) is customer-managed via environment variable; database dumps are not sufficient to decrypt these fields.

ENVELOPE_KEY is rotated annually as a hygiene baseline + within 24 hours of any suspected disclosure. The runbook (encryption-rotation.md) covers planned + emergency paths.

Every crm_*table has Postgres RLS enabled with explicit policies. Members can only read their own org’s rows. Service-role access is gated behind a wrapper that requires a documented reason per use site.

Four custom ESLint rules block tenant-isolation regressions at edit time:

• no-admin-client-in-api. Direct service-role imports require a documented reason.
• require-assert-org-ownership. Every server action must verify resource ownership before mutation.
• require-anthropic-meter. Direct AI SDK calls must go through the metering wrapper.
• no-tenant-insert-without-org-id. Every insert into a tenant table includes org_id explicitly.

Every server action is exercised against a mocked-but- cross-tenant probe; any successful read or write fails CI.

Per-user TOTP enrollment with 10 single-use backup codes. Org policy can require MFA for admins (Professional + tier) or every user (Enterprise tier). MFA secrets are encrypted at rest.

SAML SSO + SCIM v2 user provisioning available on the Enterprise tier (Azure AD + Okta tested).

Billing changes, role changes, and API-key rotation are blocked until the user has MFA-verified within the recent session window.

Per-purpose consent ledger (crm_consent_records). Append-only, RLS-locked, covers 8 purposes (transactional, marketing, AI processing, analytics, third-party sharing, etc.). DSAR endpoints (/api/v1/dsar/export, /api/v1/dsar/delete) are operational.

Same consent + DSAR infrastructure. Data Processor Agreement available on request. Data residency configurable per-org for Enterprise customers.

Type 1 in progress for Q4 2026. Type 2 follow-on Q2 2027.

Audit log retention configured for 24 months on operational tables, 7 years on financial tables (invoices + contracts).

Every mutation by every user produces a crm_audit_logs row with the diff. Log is partition-pruned at the configured retention window.

14 source-controlled alert specs (.sentry/alerts.json) cover webhook signature failures, cron staleness, envelope-decrypt failures, AI cost spikes, tenant-leak patterns, payment failures. Drift between this spec and live Sentry config is checked quarterly.

/api/cron/cron-healthruns every 30 min and flags any cron whose last successful run is > 2× its schedule interval. Monitored externally.

Supabase Pro backups daily (7-day retention) plus point-in-time recovery to 1-second granularity. Quarterly restore drills documented in database-backup-restore.md.

Even rows that have been deleted leave a diff in the audit log; we can reconstruct from audit when PITR isn’t sufficient.

We respond to security reports within 24 hours and fix critical issues within 72 hours. PGP key on the SECURITY.md page in our public repo.

Currently invitation-only; production bug bounty launching with the Wk 11 closed beta cohort.