Legal

Security

Last updated · June 6, 2026

SentrAI is built to be defensible in front of an enterprise security review. This page summarizes our current controls. A detailed security questionnaire and pilot DPA are available on request.

Tenancy & isolation

  • Per-tenant data partitioning enforced in the database via row-level security policies scoped to auth.uid().
  • No cross-tenant queries by construction — server functions never bypass RLS for user data reads.

Authentication

  • Google OAuth and email / password sign-in via our identity broker.
  • Leaked-password protection (HIBP) enabled on all email signups and password changes.
  • SAML SSO is available for pilot customers on request.

Data protection

  • All data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Secrets stored in managed secret storage — never in source control or environment files committed to git.
  • Pilot intake IPs are SHA-256 hashed before storage; raw IPs are not retained.

Audit log integrity

  • Append-only audit store. Every decision carries a SHA-256 evidence hash.
  • Exports available as CSV today; signed manifests and SIEM streaming are on the pilot roadmap.

Application security

  • All user input validated server-side with Zod schemas before reaching the database.
  • Rate limiting on pilot intake and organization-connection endpoints.
  • Honeypot field on public forms to suppress automated abuse.

Vulnerability reporting

Please report security issues to security@sentrai.dev. We acknowledge within 2 business days and will not pursue legal action against good-faith research.