Security

Security is a feature, not a checklist.

The short version of how we handle customer data and the infrastructure that touches it.

Tenant isolation
Every row in our database carries `tenant_id` + `workspace_id`. Every store query, every API route, every cron worker scopes by them. RLS is on the roadmap as defense in depth.
Encryption
TLS 1.2+ for everything in transit. Postgres at-rest encryption via Supabase. Secrets in Doppler; we never check secrets into git.
Audit trail
Every privileged action lands in a hash-chained audit log with 7-year retention. Available on Scale and Enterprise plans.
Authentication
Clerk-backed auth at launch. SAML SSO + SCIM on Scale and Enterprise.
Webhook integrity
Inbound webhooks verify provider signatures (Svix for Resend, Ed25519 for Telnyx). Outbound webhooks ship with HMAC-SHA256 signatures (Stripe / Svix-compatible).
GDPR + retention
Self-serve data export + delete via /admin/settings/data-requests. 30-day soft-delete grace period; hard-delete after.

Coordinated disclosure

Found a security issue? Email security@blendwave.ai with the steps to reproduce and your contact info. We triage within 1 business day and credit reporters on the release notes (opt-in).

SOC 2 Type I in progress with Vanta. Subprocessors listed here. Full Privacy Policy here.

Security is a feature, not a checklist.

Tenant isolation

Encryption

Audit trail

Authentication

Webhook integrity

GDPR + retention

Coordinated disclosure