Security & Trust

Your workflows describe how your business runs. We take that seriously. Here's exactly what we do to keep your data safe.

Infrastructure

Edessa runs on SOC 2 Type II certified infrastructure end to end:

• Vercel hosts the application. Vercel security
• Supabase hosts the Postgres database and file storage. Supabase security
• Stripe processes all payments. Edessa never sees your card number. Stripe security
• Resend sends transactional email. Resend security

Encryption

• All data is encrypted in transit with TLS 1.2 or higher.
• Database storage and file storage are encrypted at rest by Supabase (AES-256).
• Payment data is encrypted and tokenized by Stripe (PCI DSS Level 1 certified).

Data isolation

• Every organization's data is partitioned by Postgres Row-Level Security (RLS).
• Even our service code can't see workflows belonging to another organization without proof of membership at query time.
• Storage buckets are scoped by organization id; signed URLs are short-lived.

AI processing

When you record a workflow, the recording is sent to AI providers (Anthropic and Google) for transcription, step extraction, and gap auditing. Per our contracts with those providers:

• Your recordings and workflows are not used to train AI models.
• Providers process your data only to fulfil our requests.
• You can review each provider's data-processing terms on their sites.

Authentication

• Email + password (verified via confirmation email) or Google OAuth.
• Passwords are hashed and salted by Supabase Auth (bcrypt).
• Sessions use HTTP-only, secure cookies.

Backups & recovery

Supabase maintains automated daily database backups. File storage is replicated across availability zones. In the event of an incident, we restore from the most recent good snapshot.

Access controls

• Only the organization owner can invite or remove members.
• Only the owner can change billing or cancel the subscription.
• The owner can revoke any pending invite from Settings → Members.

Deletion

You can request deletion of your organization, all its members, and all its workflows at any time. Email thaddeus@elevaiteworks.com from the account's email and we'll process within 30 days.

What we're still building

We're an early-stage, two-founder team focused on building product the right way. Some things we know are on the roadmap:

• SOC 2 Type II audit for Edessa itself (currently we rely on our SOC 2-certified infrastructure providers).
• Single Sign-On (SSO) with SAML/SCIM for larger teams.
• Custom data residency for non-US customers.

If you have a specific security requirement that's a deal breaker, email thaddeus@elevaiteworks.com. We're happy to talk through it.

Report a security issue

Found a vulnerability? Please email thaddeus@elevaiteworks.com with the subject line "Security report" and we'll get back to you within 2 business days.