Security overview (draft beta)

This page summarizes how VendorPilot approaches security in the beta. It is not a certification or audit report. We do not claim SOC 2, ISO 27001, or similar attestations.

Workspace isolation

• Row Level Security (RLS): organization-scoped tables enforce access through organization_members and auth.uid(), so members only see their workspace data even if an application query omits a filter.
• Roles: viewers are read-only for mutations where policies are applied consistently.

Documents & storage

• Files live in a private Supabase Storage bucket (not public).
• Object paths include organization_id as a prefix.
• Downloads use short-lived signed URLs (central config in the app).
• Uploads are validated server-side for type and size; workspace and daily upload caps apply.

AI & secrets

• OpenAI and Supabase service role keys are server-only; they are not exposed in client bundles.
• AI runs only after an explicit user action; viewers cannot trigger mutating AI flows.
• Usage limits apply per workspace and per user (rolling 24h) for beta stability.

Audit logs

Selected events (uploads, AI runs, rejections) are written with redacted metadata. Audit entries are not a complete forensic trail for all reads.

Current limitations

• No built-in virus scanning of uploads.
• No enterprise SSO in this beta.
• No PDF/DOCX text extraction for AI review — TXT only in-product.

Responsible disclosure

If you believe you have found a security vulnerability, email hello@usevendorpilot.com with a concise description and reproduction steps. Please allow reasonable time before public disclosure.

← Back to home