Trust
Security
Security is part of the product surface—not a brochure afterthought. Below is the MVP baseline; formal certifications are roadmapped with enterprise deals, not invented here.
Tenant isolation
Every tenant-owned row carries organization_id. Client roles never cross tenants.
Auth & access
JWT sessions, membership roles, platform staff scoped to ops endpoints.
Webhook integrity
HMAC signatures and timestamp skew checks on inbound lead webhooks.
Decision audit
Qualification stores policy version, inputs, score contributions, result, and overrides.
Transport & secrets
TLS in transit; production secrets via secret manager—not env dumps in logs.
PII discipline
Operational logs aim to mask phone/email; retention configurable per deployment.