Security and Trust

SOPSai is designed around workspace-based access controls, authenticated accounts, and careful handling of customer SOP content.

This page describes current security practices and planned improvements. It does not represent a completed audit, certification, or compliance guarantee.

Customers retain ownership of their SOPs, notes, transcripts, departments, tags, and related workspace content.

SOPSai processes customer content to provide, operate, secure, maintain, support, and improve the service.

SOPSai uses Supabase Auth for account authentication and session management. Users must authenticate before accessing private workspaces and application routes.

Workspace owners and authorized users are responsible for keeping credentials secure and limiting workspace access to appropriate users.

SOPSai organizes content by workspace. Application logic and database queries are designed to load SOPs, departments, and related records for the active authenticated workspace.

Workspace isolation is an important security boundary and is reviewed as product features are added.

SOPSai uses Supabase database features, including row-level security policies, to help restrict records to authorized users and workspaces.

RLS policies are kept enabled and should not be bypassed in normal application code.

SOPSai relies on infrastructure providers such as Supabase for authentication, database, and backend infrastructure. Application hosting may use Vercel or another hosting provider as the product evolves.

These providers process data as needed to host, secure, and operate the service.

When AI features are used, user-provided notes, transcripts, SOP content, and related instructions may be sent to AI service providers to generate drafts.

Users should review generated SOPs before relying on them, and should not submit sensitive regulated data unless their agreement with SOPSai permits it.

SOPSai does not claim that employees or authorized operators never access customer data. Access may be needed for support, troubleshooting, security, abuse prevention, legal compliance, or service operations.

The intended practice is to limit internal access to people and situations where access is reasonably needed.

SOPSai and its infrastructure providers may maintain backups, logs, and operational records for reliability, security, legal, and recovery purposes.

Backup and retention behavior may vary by provider and product configuration. Deletion requests may not immediately remove content from backups.

SOPSai intends to investigate suspected security incidents, take appropriate containment and remediation steps, and notify affected customers or authorities when required by applicable law or contract.

Incident response processes will mature as SOPSai moves from private beta toward broader availability.

If you believe you have found a vulnerability in SOPSai, please contact [SUPPORT_OR_PRIVACY_EMAIL] with a clear description, reproduction steps, and any relevant evidence.

Please avoid accessing, modifying, deleting, or sharing data that does not belong to you while testing or reporting an issue.

Future security roadmap items may include more granular permissions, audit logs, stronger administrative controls, SSO, SCIM, formal security reviews, and enterprise readiness work.

SOC 2 and additional enterprise controls may be considered in the future, but SOPSai does not currently claim SOC 2 certification or enterprise compliance.