Reliability, security & trust
Show, don’t claim.
Most security pages list vendors and certifications. This one lists the work the platform does itself, every night, in numbers. Anything we can’t prove with a number renders as an em-dash, not a zero.
The platform audits itself, every night.
An autonomous conductor runs the full audit + journey suite, classifies failures (flake vs. real), and opens PRs for fixes. No PR auto-merges — every human-reviewed. When the same flake hits 7 consecutive nights, on-call is paged.
A feature can’t ship without its tests.
Every feature flag must have an MCP tool reference, a docs entry, AND an e2e test — CI-locked via cross-dim-audit --check. A regression cannot ship.
The audit trail is tamper-evident.
Every owner / admin / system-admin action writes a chain-hashed audit row. Cross-tenant scope leaks are structurally prevented at the SQL layer + verified by a tenant-isolation property fuzzer.
- Chain-hashed audit logYes
- Tenant-isolation property fuzzerRuns nightly
- PII-leakage scannerRuns nightly · cleared
- SSRF guard on every outbound fetchRFC1918 + link-local + cloud-metadata blocked
- Bulk-mutation two-phase confirmHMAC-bound, 60 s TTL
Compliance.
Technical posture meets SOC 2 Type II controls (encryption at rest, audit-log retention, SSRF guards, secret vault with BYO-KMS read-side); Type II attestation paperwork in flight via a third-party vendor.
- SOC 2Type II — attestation in progress
- Encryption at restPer-row, with per-tenant BYO-KMS read-side
- Encryption in transitTLS 1.2+ everywhere
- Customer data residencyUS (Postgres + S3 + Modal)
- SubprocessorsFull list →
Reliability.
Nightly autonomous loop runs the full audit + journey suite, classifies failures (flake vs. real), opens PRs for fixes (never auto-merge), and pages on-call after 7 consecutive nights of unresolved flakiness.
- Realtime process-resilience guardTransient DB / network errors logged + recovered without dropping live calls
- Cross-replica safetyFOR UPDATE SKIP LOCKED on every multi-replica-sensitive cron
- Anthropic resilient clientAuto-failover on 429 / 5xx / credit_balance_too_low
- Recording consentHard-gated; start + stop chime; no override