Trust & strategy
Data handling inventory
Engineering outline of data categories (non-legal); use with privacy/terms work.
Data handling inventory (non-legal)
This document is an engineering outline of categories of data the application stores and processes. It is not a privacy policy or legal disclosure. Product-facing text must be drafted with counsel.
| Category | Examples | Typical storage | Notes |
|---|---|---|---|
| Account / identity | Email, name (Supabase Auth, users) | Supabase PostgreSQL | Dashboard login; approver identity for audit. |
| Marketing waitlist | Email (waitlist_signups.email_normalized), optional source | Supabase PostgreSQL | Public signup form; inserts via server action + service role only; no dashboard UI yet. |
| API credentials | Raw API keys (client); SHA-256 hashes (api_keys.key_hash) | DB holds hashes only | Raw keys never stored; never log raw keys. |
| Evaluation payloads | payload_scope, context_json (incl. optional mcp_trace / tool_calls), policy outcomes, pinned policy version | evaluations (incl. policy_version_id), audit_log | Core product data; classify per customer contract. MCP metadata supports agent-trace correlation. |
| Policy rulesets | Current JSON on policy; immutable version rows + ruleset hash | policies.ruleset_json, policy_versions (append-only), evaluations.policy_version_id | Dashboard edits update policies and append policy_versions; evaluate uses latest version at request time. |
| Human approval | Stage status, OTP digests (hashed), tokens, optional approval_deadline_at and timeout snapshots | approval_stages | Tokens are high-entropy; approve/reject via POST only. Deadlines enforced by cron when policies set approval_timeout_seconds. |
| Webhook | Integrator URL, POST payload snapshots (event approval vs terminal), optional signing secret / hostname allowlist | evaluations.webhook_url, webhook_deliveries (event_kind, payload_json), workspace_integration_settings (webhook_hmac_secret, webhook_allowed_hostnames) | Outbound only; SSRF + optional hostname allowlist before dispatch. Settings are admin-readable in DB/RLS; treat like policy config. |
| Email content | Approval links, OTP messages | Transacted via Resend | Retention subject to Resend and your settings. |
| Operational logs | apiLogLine JSON, request ids | Host stdout / log drain | Avoid PII and secrets in log fields. |
Retention (policy placeholder)
Define per-environment and per-customer retention for:
evaluations,policy_versions, and relatedapproval_stagesaudit_logwebhook_deliveries
Implementation options include scheduled Supabase SQL deletes, pg_cron, or external jobs. Not implemented in-repo until you choose windows (e.g. 90d / 1y) and legal basis.
Subprocessors
Common stack elements referenced in deployment docs: Supabase (DB/Auth), Resend (email), Netlify or other host, Upstash (optional rate limits), Sentry (optional errors). Maintain an accurate list for your DPA.