Skip to content

Trust

Security

Security is part of the product surface—not a brochure afterthought. Below is the MVP baseline; formal certifications are roadmapped with enterprise deals, not invented here.

Tenant isolation

Every tenant-owned row carries organization_id. Client roles never cross tenants.

Auth & access

JWT sessions, membership roles, platform staff scoped to ops endpoints.

Webhook integrity

HMAC signatures and timestamp skew checks on inbound lead webhooks.

Decision audit

Qualification stores policy version, inputs, score contributions, result, and overrides.

Transport & secrets

TLS in transit; production secrets via secret manager—not env dumps in logs.

PII discipline

Operational logs aim to mask phone/email; retention configurable per deployment.