Security at GroundPound.ai

Tenancy + data isolation

• Row-Level Security (RLS) is enforced on every multi-tenant table. Every SELECT, INSERT, UPDATE, and DELETE is gated by org_id = auth.org_id().
• Cross-org leak detection runs as a regression test in CI. Any query that returns rows from another organization fails the build.
• Service-role queries (the small set of admin and cron paths that intentionally cross orgs) are explicitly named, code-reviewed, and pinned by an audit script.

Authentication + session

• Passwordless sign-in via a magic-link prefix followed by 6-digit OTP code. We migrated from URL-only magic links in May 2026 because corporate URL-prefetch scanners were burning one-time tokens before users clicked.
• Sessions are short-lived JWTs nonce-protected against replay. State secrets are separated (OAUTH_STATE_SECRET distinct from session-signing), and OAuth state nonces are burned on first use.
• SSO/OAuthis available for enterprise customers via Supabase Auth's standard providers.
• Phishing-resistant MFA (passkeys): Users can enroll FIDO2/WebAuthn passkeys (Touch ID, Windows Hello, or a hardware security key) from Settings → Organization → Security & passkeys. Passkeys are origin-bound and cannot be phished or replayed. A recent passkey assertion is required before connecting a bank account via Plaid; we store only the public credential (never a private key) and reject non-incrementing authenticator counters as a clone/replay signal.

Vendor keys + secrets (BYOK)

• Bring Your Own Key:Operators connect their own Anthropic / OpenAI / Google / xAI / Mistral / Together / OpenRouter / Stripe / Plaid / DocuSign / etc. credentials. Platform-funded keys are available as a fallback, billed at cost-plus, and used only when the operator hasn't supplied their own. Vertex AI Gemini and Azure OpenAI are platform-funded routes, not single-key BYOK cards.
• Coordinated rotation: When a vendor secret is rotated, the platform propagates the new value to all dependent runtimes in a single operator-initiated event. Per-rotation status is auditable.
• Field-level credential encryption: Integration credentials — vendor OAuth tokens (Microsoft Graph, Google Workspace, Slack, etc.), LLM BYOK keys, webhook signing keys, the Plaid access token, and other recoverable API keys — are encrypted at the application layer with AES-256-GCM and per-environment keys before they are written to the database. Legacy plaintext rows are covered by the same lazy `enc:v1` migration path and drift scanners.
• Runtime isolation: The agent runtime decrypts OAuth tokens written by the platform via a per-org HMAC + timing-safe bearer mechanism. Cross-runtime credential handoff is auth-gated.

Application-layer guards

• SSRF protection: Outbound fetch_url, webhook_post, and pdf_extract tools enforce DNS-pinned destination allow-lists; private IP ranges (RFC 1918, link-local, IPv6 unique-local) are rejected.
• Rate limiting: Redis-backed limits on LLM-burn surfaces (per-org token-spend caps) and email-send (per-org per-recipient throttle).
• Object storage: Presigned-URL uploads enforce Content-Length server-side; per-org storage quota is checked before issuance.
• Capability mapper: Server-side mapping; caller-supplied orgId is ignored.
• Approval-gated actions: Trading orders, DocuSign sends, customer-facing portal replies, security-deposit dispositions, and other irreversible operations require an explicit operator approval; scheduled-approval is rejected on trading-order categories.

Encryption

• In transit: TLS 1.2+ across all customer surfaces (HSTS preloaded).
• At rest: AES-256 via Supabase managed Postgres + Cloudflare R2.
• In application: Sensitive fields (vendor tokens, webhook signing keys) re-encrypted with per-environment KMS-style keys before persistence.

Audit + testing

• Continuous regression testing: Five audit iterations (Rounds 1–5) across the last five weeks, each running static analysis + live-prod observability checks + end-to-end browser walk-throughs. All Critical and High findings remediated; the most recent hardening train added credential-gated MCP activation, platform spend caps, Foundry DB timeouts, run activity heartbeats, and shadow-verifier remediations through 2026-06-11.
• CI gates: Type-check, unit + integration tests, structural defense regression (cross-org leak, secret-leak, BYOK enforcement), preview build, preview deploy. Required for merge to main.
• Security testing: Our audit rounds include internal penetration-style testing of the application by our own team. These are internal exercises — we have not engaged a third-party firm for an external penetration test or independent assessment to date. In the most recent round (2026-05-22) there were no Critical findings and all High findings were remediated within 24 hours.
• Responsible disclosure: Report security issues to security@groundpound.ai with subject "Security disclosure". We aim to acknowledge within 24 hours, triage within 72, and remediate Critical/High issues within 7 days.

Certifications + roadmap

• SOC 2 Type II: Not currently certified. Under evaluation for 2026 H2; happy to discuss timing for enterprise procurement.
• HIPAA BAA: Not currently signed. Two healthcare-vertical templates are intentionally deferred pending a signed BAA + customer green-light. PHI-handling features will not ship until the BAA is in place.
• ISO 27001:Not currently certified. No active roadmap; happy to discuss if it's a procurement blocker for an enterprise customer.

Subprocessors

See the Data Processing Agreement (DPA)§6 for the current sub-processor list. Material changes are notified to operators with at least 30 days' notice via in-product banner + email.

Reporting issues

Security issues go to security@groundpound.ai — a dedicated, monitored security mailbox. Other inquiries go to info@groundpound.ai; a clear subject line gets them to the right inbox fast.

• Security disclosure: security@groundpound.ai (subject "Security disclosure")
• Privacy / data-subject request:info@groundpound.ai, subject "Privacy request"
• Compliance / audit request:info@groundpound.ai, subject "Compliance request"

We respond to every real report within 24 hours. Cold scanners, automated noise, and "we found a vulnerability, send Bitcoin" emails are ignored.