Legal
Security
Last updated · June 6, 2026
SentrAI is built to be defensible in front of an enterprise security review. This page summarizes our current controls. A detailed security questionnaire and pilot DPA are available on request.
Tenancy & isolation
- Per-tenant data partitioning enforced in the database via row-level security policies scoped to
auth.uid(). - No cross-tenant queries by construction — server functions never bypass RLS for user data reads.
Authentication
- Google OAuth and email / password sign-in via our identity broker.
- Leaked-password protection (HIBP) enabled on all email signups and password changes.
- SAML SSO is available for pilot customers on request.
Data protection
- All data encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Secrets stored in managed secret storage — never in source control or environment files committed to git.
- Pilot intake IPs are SHA-256 hashed before storage; raw IPs are not retained.
Audit log integrity
- Append-only audit store. Every decision carries a SHA-256 evidence hash.
- Exports available as CSV today; signed manifests and SIEM streaming are on the pilot roadmap.
Application security
- All user input validated server-side with Zod schemas before reaching the database.
- Rate limiting on pilot intake and organization-connection endpoints.
- Honeypot field on public forms to suppress automated abuse.
Vulnerability reporting
Please report security issues to security@sentrai.dev. We acknowledge within 2 business days and will not pursue legal action against good-faith research.
