Every record is scoped to an organization through row-level security. Privileged calls happen only inside server functions. Evidence files live in a private bucket behind short-lived signed URLs and are SHA-256 hashed at upload.
Defense in depth
Auth
Email + Google sign-in. MFA-ready.
Database
Postgres with row-level security. Every record scoped to an organization.
Audit
Append-only audit log. Admin and auditor reads only.
Storage
Private bucket. Short-lived signed URLs for downloads.
Legal basis
Lawful-purpose confirmation required before any collection begins.
Findings
Default to 'unverified' until an analyst reviews them.
Controls in place today
Row-level security on every table
Role-based access — ten role tiers
Server-only Firecrawl + Lovable AI calls — keys never reach the browser
SHA-256 hashed evidence with chain-of-custody log
Retention policies and privacy-request tracking
Session timeout and signed-URL downloads
Source registry with allow/block controls
SOC 2-readiness control checklist (not a claim of certification)