Security Architecture
Sorcia is built with enterprise-grade security from the ground up.Core Security Principles
Encryption
Data encrypted at rest and in transit
Isolation
Multi-tenant with row-level security
Permission-Aware
Respects source system permissions
Audit Logging
Complete audit trail
Data Protection
Encryption
At Rest:- AES-256 encryption (Supabase)
- Encrypted database backups
- Encrypted embeddings storage
- TLS 1.3 for all connections
- HTTPS-only API endpoints
- Encrypted webhook payloads
Data Isolation
Multi-Tenancy:- Row-Level Security (RLS) in PostgreSQL
- Organization-scoped data
- No cross-tenant data access
Authentication & Authorization
Authentication
- JWT-based - Stateless sessions
- OAuth 2.0 - Integration auth
- MFA - Multi-factor authentication (Enterprise)
- SSO - SAML/OIDC (Enterprise)
Authorization
- Role-Based - Owner, Admin, Member
- Permission Groups - Custom access control
- Source Mirroring - Respects original permissions
Infrastructure Security
Hosting
- Vercel - Edge network with DDoS protection
- Supabase - SOC 2 Type II certified
- AWS - Enterprise-grade infrastructure
Network Security
- Firewall - Application-level firewall
- Rate Limiting - API rate limits
- IP Allowlisting - Enterprise feature
Compliance
SOC 2 Type II
Independently audited security controls
GDPR
EU data protection compliance
CCPA
California privacy rights
HIPAA
Healthcare data security (Enterprise)
Data Privacy
Data Collection
We collect only what’s necessary:- Query text (for processing)
- Document content (for indexing)
- Usage analytics (for improvement)
Data Retention
- Documents - Synced from source, deleted with integration
- Query logs - 90 days (configurable)
- Audit logs - 1 year minimum
- Embeddings - Until document deleted
Data Rights
Users can request:- Data export - Full data dump
- Data deletion - Right to erasure
- Access logs - View all queries
Security Features
Read-Only Access
All integrations are read-only. Sorcia never modifies your data.
Permission Sync
- Real-time permission updates
- Source system as source of truth
- Automatic re-validation
Audit Logging
Every action logged:- User queries
- Document access
- Permission changes
- Integration events
Incident Response
Security Monitoring
- 24/7 automated monitoring
- Anomaly detection
- Immediate alerting
Response Plan
- Detection - Automated alerts
- Assessment - Team evaluation
- Containment - Isolate issue
- Communication - Customer notification
- Resolution - Fix and verify
- Post-Mortem - Document learnings
Best Practices
Use Strong Passwords
Use Strong Passwords
Minimum 12 characters, mix of types
Enable MFA
Enable MFA
Multi-factor authentication for all admins
Review Access Regularly
Review Access Regularly
Audit permissions quarterly
Monitor Audit Logs
Monitor Audit Logs
Check for unusual activity