SECURITY
Security posture
Last reviewed May 2026
This page describes how Trochia is built, what we do to keep customer data safe, and what we are working toward. It is updated when material things change.
Tenancy and isolation
Every table in the application database carries an account_idand is gated by Postgres row-level security with a default-deny policy. A request is bound to one account; queries cannot return rows from another tenant. A two-tenant isolation test runs in CI on the database schema as the schema evolves.
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest (the database provider's native at-rest encryption). Sensitive fields (secrets, API keys, tokens) never enter logs, error reports, or product analytics. A field-scrubbing pass runs before payloads leave the application.
Authentication
Sign-in is handled by Supabase Auth: Google SSO and magic-link email at MVP; multi-factor authentication lands at V2. Server-side session validation runs on every authenticated request; the API never trusts a client-supplied account identifier.
The AI surface
All model calls route through a single chokepoint in the application (src/ai/client.ts). That chokepoint enforces prompt caching, structured-output validation, rate limits, and the no-training contract with the model provider. The fallback path is config-flagged off by default. The chokepoint is lint-enforced. Modules under the financial primitives (the SAFE generator and the cap-table engine) cannot import from it.
External sends
Anything Trochia sends outside the product on behalf of a founder (outreach, intros, signature requests) routes through an explicit founder-approval dialog. No autonomous send.
Vendors
The full sub-processor inventory, every vendor that sees customer data, its training posture, its retention window, and its contract status, lives in our internal vendor-data-flow document and is referenced from the Data Processing Addendum at /legal/dpa. The headline commitment: no customer data enters a model-training pipeline.
Data lifecycle
Account deletion is a 30-day soft-delete window followed by permanent purge from primary databases. A founder can export every tenant-scoped record at any time as a JSON dump delivered via a private signed URL.
Operational controls
Production deploys go through CI: lint, type-check, unit and integration tests, a banned-string scan on copy, a Lighthouse perf+a11y+SEO gate on the homepage. Errors and traces flow to Sentry; model-call metrics flow to Langfuse. The on-call founder reviews production alerts daily.
Reporting a vulnerability
Email security@trochia.ai. Please include steps to reproduce, an estimate of the impact, and any artifacts. We respond within 72 hours and credit researchers who report in good faith.
Roadmap
SOC 2 Type I preparation begins at Phase 11 (public launch). EU data residency lands at V2 (Phase 8) alongside multi-factor authentication. Detailed audit logging and customer-facing access logs land alongside the data-room module.