← Back to The Busy Agent Suite

Security

Placeholder — review and replace before launch with copy approved by your legal team AND your security team. The claims below match the controls in the codebase at the time of writing; do not publish without verifying every line still holds.

Last updated: 2026-05-06

1. Identity & access

  • Authentication is delegated to Supabase Auth (RS256 JWTs verified against the JWKS endpoint).
  • Authorization is per-organization with four roles (owner / admin / member / readonly). Cross-org reads return 404, never 403, so cross-tenant id enumeration fails.
  • Mutation endpoints require a writer-or-higher role; destructive and export endpoints require admin.

2. Encryption

  • All inbound traffic is TLS-terminated at the edge. The internal compose network carries traffic between services that run on the same host.
  • Object storage (IDrive E2) is encrypted at rest by the provider. Database backups are encrypted at the bucket level.
  • n8n stored credentials are encrypted with a per-deployment key managed and backed up per docs/N8N_PRODUCTION.md.

3. Document handling

  • Uploads use server-generated, prefix-validated storage keys. The frontend cannot choose arbitrary object paths.
  • Presigned upload URLs and download URLs expire within minutes (configurable).
  • Every uploaded PDF is streamed through a ClamAV malware scanner before any analysis runs (configurable; required by default in production).
  • Filenames are sanitised; the API enforces a server-side mime allowlist (PDF only) and a per-file size cap.

4. AI-assisted analysis

  • Document text is processed through a Tailscale-reachable LiteLLM gateway. Provider keys do not live in the application; we hold a per-caller bearer token only.
  • The LiteLLM gateway runs with verbose request/response logging disabled and message-content redaction enabled. Document text and rendered prompts are not retained on the gateway side.
  • AI-generated findings are decision support, not legal advice. Transaction Ops does not guarantee compliance and does not replace broker, legal, or regulatory review. Final review is the user’s responsibility. See the Terms of Service.

5. Audit trail

  • Every important action — document upload-complete, status change, finding dismiss / resolve / edit, transaction create / update / delete, data export — appends an immutable audit row.
  • Audit rows are decoupled from organization / user FKs via ON DELETE SET NULL, so a hard tenant scrub cannot destroy the audit trail.

6. Retention

  • Original PDFs: 365 days by default; per-organization override is available on request. The retention sweep clears the storage key and sets archived_at; the document row remains so the dashboard still shows the upload happened.
  • Extracted page text and JSONB blobs: 90 days by default. After the rules engine has run, the findings carry the lasting record; the underlying text is reaped.
  • Findings, deadlines, and audit events: retained for the lesser of 7 years and your contracted retention window.
  • n8n execution data: 14 days; success-execution payloads are not retained at all.
  • Full retention contract: docs/DATA_RETENTION.md in the source repository.

7. Operational hardening

  • Rate limits on every user-driven mutation, plus per-org concurrency and rolling-24h ceilings to absorb abuse.
  • Idempotent processing pipeline: every analysis run carries a stamped attempt id. Late or duplicate n8n callbacks are dropped silently; user-dismissed findings are never resurrected by a re-run of the rules engine.
  • Dead-letter terminal state once a document exhausts its retry budget; the user is told to upload a different copy.
  • Strict CORS allowlist (no wildcards in production), tightened security-header bundle, and structured JSON logs with regex redaction of signed URLs / Bearer tokens / API keys / emails.

8. Reporting a security issue

If you believe you have found a security vulnerability in the Service, contact the email address listed in your subscription agreement. Please do not disclose publicly until we have had a reasonable opportunity to investigate and address.

9. Changes

We will update this page when the Service’s controls change. See the source repository for the canonical, dated runbooks underlying every claim above.

Privacy PolicyTerms of ServiceSecurity