Security

We sell to CISOs.
Here's our own posture.

You manage your most sensitive compliance, risk, and governance data in this platform — so this page describes the architecture as it actually is, including what's still on our roadmap. No vague badges, no claims we can't demonstrate in a live session.

Tenant Isolation

  • Postgres row-level security on 133 tenant tables — fail-closed, FORCE-enabled, WITH CHECK
  • Defense in depth: code-level organization scoping on top of database RLS
  • Automated authorization regression tests guard isolation on every change
  • Audited super-admin access: impersonation events are logged, never silent

Immutable Audit Trail

  • Hash-chained audit log — every entry cryptographically linked to the previous one
  • Tampering breaks the chain and is detectable
  • Every action timestamped and attributed to a user
  • AI actions logged with model, prompt class, and approver

Access Control

  • Plan-bounded role-based access control — four levels per module: none / view / edit / full
  • Per-user permission overrides within plan boundaries
  • Module-level disablement enforced at the API, not just hidden in the UI
  • Principle of least privilege as the default posture

Authentication

  • TOTP-based multi-factor authentication
  • Scoped API keys for programmatic access
  • Session management with timeouts
  • SSO (SAML 2.0 / OIDC) is on the near-term roadmap — see below

Governed AI

  • All AI is Anthropic Claude — a disclosed subprocessor, not a black box
  • Customer data is never used to train AI models
  • AI output lands as drafts for human approval — never silent writes
  • AI can be switched off per organization and per module

Data & Evidence Integrity

  • AES-256 encryption for data at rest, TLS for data in transit
  • SHA-256 hashes recorded for evidence files — forensically defensible evidence
  • Encrypted backups with restore testing
  • Data export available — your data is yours

How Sage AI works

We publish our AI plumbing: provider, data flows, retention, approval gates, and audit trail. Most vendors are vague about this — we think transparency is the whole point.

Read the AI transparency page

Where we are — honestly

We're a young platform and we'd rather tell you what's in flight than pretend it's done. Ask us about any of these in your demo — we'll show you the current state.

  • External penetration testScheduled — summary letter will be published here
  • ISO 27001 certification for Compliance Enablers itselfProgram underway — run on our own platform
  • SSO: SAML 2.0 + OIDC (Google Workspace, Microsoft Entra ID)Near-term roadmap
  • Public status pagePlanned

Our Security Commitment

Our security practices are aligned with ISO 27001 controls — the same framework our founder manages professionally — and we are pursuing certification for the platform itself, run on our own product.

Want to see any of this live? The platform's Trust Center, audit log chain, and per-tenant AI controls are all part of the standard demo. Book one here.

For security questions or vulnerability reports, contact security@complianceenablers.com.