Trust and safety
Current security posture.
Implemented application controls, deployment requirements, and the assurance work that still needs independent operating evidence.
Source detectedProbability movedDesk reviewedBrief ready
Assurance status: GreenCIO is not claiming SOC 2 certification, a contractual SLA, or completed production restore and alert-delivery drills. Those controls remain release evidence gates and are provided only when verified.
Security Architecture
Data Protection
- • TLS for application traffic
- • Provider-managed encryption at rest for hosted storage
- • Deployment secrets for API keys and service credentials
- • Server-side access to service-role credentials only
Access Control
- • Google OAuth sign-in support
- • Session-gated console and compute-desk routes
- • Organization-aware API access for compute-desk data
- • Separate server-side credentials for agent, ingestion, approval, and cron trust domains
Infrastructure Security
Platform Security
- • Managed hosting and storage providers
- • GCS and Supabase persistence when configured
- • Protected liveness/readiness checks for configured dependencies
- • Dependency, lint, test, and build checks before release
Threat Detection
- • Provider edge protections where deployed
- • CSRF protection on lead-capture flows
- • Structured server logs with sensitive-field redaction
- • Durable, fail-closed limits on security-sensitive and bounded public routes
Compliance & Certifications
Current
- Privacy policy and terms
- Google OAuth session flow
- Secret-backed internal endpoints
In Progress
- • SOC 2 readiness controls
- • Vendor security questionnaire pack
- • Formal incident response runbook
Documents
- • Security overview
- • Vendor questionnaires by request
- • DPA review by request
- • Sub-processor list by request
Security-First Development
Security review is part of the release process. Material changes are expected to include:
- • Threat modeling for sensitive data paths
- • Static checks, tests, and build verification
- • Third-party review when enterprise scope requires it
- • Security review before release
We welcome responsible vulnerability reports and route them through the security contact below.
For security questionnaires, audit reports, or to report a vulnerability, contact our security team at security@greencio.com