Reliability, security & trust

Show, don’t claim.

Most security pages list vendors and certifications. This one lists the work the platform does itself, every night, in numbers. Anything we can’t prove with a number renders as an em-dash, not a zero.

The platform audits itself, every night.

An autonomous conductor runs the full audit + journey suite, classifies failures (flake vs. real), and opens PRs for fixes. No PR auto-merges — every human-reviewed. When the same flake hits 7 consecutive nights, on-call is paged.

Last run
Jul 1, 2026
Runs · 30 d
27
PRs opened · 30 d
0
Flakes classified · 30 d
0

A feature can’t ship without its tests.

Every feature flag must have an MCP tool reference, a docs entry, AND an e2e test — CI-locked via cross-dim-audit --check. A regression cannot ship.

MCP coverage gap
0
feature flags missing an MCP tool
Docs coverage gap
0
flags missing a catalog entry
E2E coverage gap
0
flags missing a journey test

The audit trail is tamper-evident.

Every owner / admin / system-admin action writes a chain-hashed audit row. Cross-tenant scope leaks are structurally prevented at the SQL layer + verified by a tenant-isolation property fuzzer.

  • Chain-hashed audit logYes
  • Tenant-isolation property fuzzerRuns nightly
  • PII-leakage scannerRuns nightly · cleared
  • SSRF guard on every outbound fetchRFC1918 + link-local + cloud-metadata blocked
  • Bulk-mutation two-phase confirmHMAC-bound, 60 s TTL

Compliance.

Technical posture meets SOC 2 Type II controls (encryption at rest, audit-log retention, SSRF guards, secret vault with BYO-KMS read-side); Type II attestation paperwork in flight via a third-party vendor.

  • SOC 2Type II — attestation in progress
  • Encryption at restPer-row, with per-tenant BYO-KMS read-side
  • Encryption in transitTLS 1.2+ everywhere
  • Customer data residencyUS (Postgres + S3 + Modal)
  • SubprocessorsFull list →

Reliability.

Nightly autonomous loop runs the full audit + journey suite, classifies failures (flake vs. real), opens PRs for fixes (never auto-merge), and pages on-call after 7 consecutive nights of unresolved flakiness.

  • Realtime process-resilience guardTransient DB / network errors logged + recovered without dropping live calls
  • Cross-replica safetyFOR UPDATE SKIP LOCKED on every multi-replica-sensitive cron
  • Anthropic resilient clientAuto-failover on 429 / 5xx / credit_balance_too_low
  • Recording consentHard-gated; start + stop chime; no override