Compliance roadmap
In progress
SOC 2 Type I
Report expected Q3 2026. Observability controls already in place via sophie_turn_logs + decision_records.
Planned
SOC 2 Type II
Scheduled after Type I lands. 6-month observation window.
Planned
ISO 27001
Targeted for 2027 - gated by demand from regulated customers (fintech, healthcare-adjacent).
Done
GDPR alignment
DPA available on request. Data-processing addendum drafted. EU customers processed under Supabase EU region.
Out of scope
HIPAA
Caugia does not ingest PHI; HIPAA does not apply.
Data you send us
Sophie needs three categories of data to be useful:
- Financial metrics: ARR, NRR, CAC payback, burn - numbers you already track in a board deck. Treated as confidential business data.
- Qualitative assessment answers: your responses to the 265-question GRIP diagnostic. Used solely to compute your pillar scores and detect constraints.
- Optional: uploaded playbooks / post-mortems via the Custom Knowledge feature. Strictly tenant-scoped, never surfaces in another workspace.
We never ingest customer PII, PHI, PCI, source code, or credentials. The public API's /v1/chat endpoint accepts plain text messages - what you send is what you control.
Encryption
- In transit: TLS 1.3 on every endpoint. HSTS enforced. No plain HTTP.
- At rest: Supabase Postgres with AES-256 disk encryption + point-in-time recovery. Embeddings + chat history stored in the same encrypted Postgres cluster.
- API keys: stored as SHA-256 hashes; plaintext is shown once at creation and never again.
- Slack bot tokens: encrypted at rest in Supabase; never exposed via admin APIs (only existence / prefix is surfaced).
Access control
- Supabase Row-Level Security on every table; anon read / service-role write pattern audited per migration.
- SSO via WorkOS SAML / OIDC available on Pro and Enterprise. Docs.
- Public API keys are workspace-scoped and cannot target other tenants - enforced at the key-validation layer, not at the endpoint.
- Admin access limited to a single email (env-configured) with MFA.
Audit trail
Every write Sophie makes - create_action, update_constraint_state, notify_team, confirmations of any kind - writes to decision_records with actor, reason, GRIP rule, and the before/after state. On Enterprise, this is exportable as CSV via /api/admin/audit-trail-export.
Incident response
- Sev-1 response time: 4 hours from detection.
- Customer notification: within 72 hours of confirmed breach (GDPR Art. 33 aligned).
- Post-incident report published on this page within 30 days of resolution.
- Status page coming with SOC 2 Type I.
Data retention & deletion
- Active workspace data retained for the duration of the subscription.
- On workspace deletion: all rows cascade via foreign keys; embeddings, chat logs, memory, and turn logs removed within 30 days.
- Supabase point-in-time recovery retains backups for 7 days past deletion. Purged backups are not reconstructable.
- Customer can request a full data export at any time: email contact@caugia.com with the workspace UUID.
Subprocessors
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Postgres + Auth + Storage | EU eu-north-1 (Stockholm) primary; US per customer config |
| Vercel | Edge hosting + cron scheduler | Global CDN, primary EU |
| Anthropic | Sophie LLM (Claude Sonnet / Haiku) | US; no training on customer data |
| OpenAI | Embeddings (text-embedding-3-small) + Whisper STT + gpt-4o-mini TTS | US; no training on customer data |
| Resend | Transactional email delivery | EU + US |
| Stripe | Billing + subscription management | EU + US |
| WorkOS | SSO (SAML / OIDC) on Pro + Enterprise | US with EU residency available |
Contact
Security reports: security@caugia.com
DPA / compliance docs: contact@caugia.com
Vulnerability disclosure: PGP key available on request.