Security is the
foundation.

TLS 1.3 enforced on all API endpoints and dashboard connections. HTTP connections redirect to HTTPS. HSTS with 1-year max-age and preload.

AES-256 encryption on all Supabase storage volumes. Document binaries stored in encrypted S3-compatible object storage with per-tenant key isolation.

PostgreSQL column-level encryption for sensitive fields (API keys, credentials). Database backups encrypted with the same key hierarchy.

Deployed on Railway — isolated containers with no shared state between tenants. Automatic restarts on failure. Zero-downtime deployments via blue-green strategy.

Supabase on AWS — PostgreSQL with point-in-time recovery, automated daily backups (30-day retention), and read replicas for dashboard queries.

Egress is whitelisted per integration. No inbound ports open except 443. Rate limiting at the CDN layer and at the API route layer independently.

Multi-AZ database configuration. API layer horizontally scalable. Target 99.9% monthly uptime on Enterprise plans.

PostgreSQL RLS policies enforced at the database layer — not the application layer. An organisation cannot read, write, or enumerate another organisation's data even with a compromised API key.

Every table carrying user data has an `org_id` foreign key. RLS policies validate `auth.jwt()->>'org_id'` on every query. Supabase's PostgREST enforces this at the connection level.

API keys can be rotated at any time from the dashboard. Old keys are immediately invalidated — no grace period. Audit log records every key rotation with timestamp and user.

Role-based access: Admin, Operator, Viewer. Admins manage team and billing. Operators run and approve agents. Viewers read-only. SSO providers map roles via SAML attributes.

Every agent action, approval decision, document state change, configuration update, team member change, and API key event is logged.

Each log entry includes: timestamp (UTC microseconds), org_id, user_id, agent_id, action_type, resource_id, IP address, and a structured payload.

Audit logs are written to an append-only table. No application code path permits UPDATE or DELETE on audit records. Database superuser access is restricted to the infrastructure team.

Enterprise customers can export audit logs via API or scheduled SFTP delivery. SIEM connectors available for Splunk, Datadog, and generic webhook targets.

A standard DPA is available for all customers. Enterprise DPAs with custom SCCs available on request. Signed within 2 business days.

Default storage: EU (Frankfurt, AWS eu-central-1). Enterprise option: US (N. Virginia, AWS us-east-1). Region selected at organisation creation and cannot be changed without migration.

Deletion requests honored within 72 hours. Deletion covers: extracted document data, agent logs, user profiles. Audit records are anonymised rather than deleted (required for compliance integrity).

Full sub-processor list available at eclips.tech/legal/sub-processors. We notify customers of sub-processor changes 30 days in advance.

A system-level constitution is prepended to every agent context. It prohibits: fabricating data, bypassing approval gates, operating outside declared scope, and taking destructive actions without explicit approval.

All Submit (Tier 4) and Destructive (Tier 5) browser actions are hard-blocked until a human approves from the dashboard. Gates are enforced in the orchestrator wrapper — below the LLM, not inside it.

Agents earn trust levels 1–5 through demonstrated accuracy over time. Trust levels gate which actions can run without human review. Level 1 agents require approval on all non-trivial actions. Level 5 agents can auto-approve within their trained scope.

Your documents and extracted data are never used to train foundation models. Your data is not shared with Anthropic or any other model provider beyond the in-context inference call.