Trust and safety

Current security posture.

Implemented application controls, deployment requirements, and the assurance work that still needs independent operating evidence.

Source detectedProbability movedDesk reviewedBrief ready
Assurance status: GreenCIO is not claiming SOC 2 certification, a contractual SLA, or completed production restore and alert-delivery drills. Those controls remain release evidence gates and are provided only when verified.

Security Architecture

Data Protection

  • • TLS for application traffic
  • • Provider-managed encryption at rest for hosted storage
  • • Deployment secrets for API keys and service credentials
  • • Server-side access to service-role credentials only

Access Control

  • • Google OAuth sign-in support
  • • Session-gated console and compute-desk routes
  • • Organization-aware API access for compute-desk data
  • • Separate server-side credentials for agent, ingestion, approval, and cron trust domains

Infrastructure Security

Platform Security

  • • Managed hosting and storage providers
  • • GCS and Supabase persistence when configured
  • • Protected liveness/readiness checks for configured dependencies
  • • Dependency, lint, test, and build checks before release

Threat Detection

  • • Provider edge protections where deployed
  • • CSRF protection on lead-capture flows
  • • Structured server logs with sensitive-field redaction
  • • Durable, fail-closed limits on security-sensitive and bounded public routes

Compliance & Certifications

Current

  • Privacy policy and terms
  • Google OAuth session flow
  • Secret-backed internal endpoints

In Progress

  • • SOC 2 readiness controls
  • • Vendor security questionnaire pack
  • • Formal incident response runbook

Documents

  • • Security overview
  • • Vendor questionnaires by request
  • • DPA review by request
  • • Sub-processor list by request

Security-First Development

Security review is part of the release process. Material changes are expected to include:

  • • Threat modeling for sensitive data paths
  • • Static checks, tests, and build verification
  • • Third-party review when enterprise scope requires it
  • • Security review before release

We welcome responsible vulnerability reports and route them through the security contact below.

For security questionnaires, audit reports, or to report a vulnerability, contact our security team at security@greencio.com