Security

• TLS 1.3 in transit. All web and API traffic is encrypted end-to-end. HSTS enforced.
• AES-256 at rest. Customer data is encrypted at the database and storage layer.
• Authentication via WorkOS. Identity, sessions, and password handling are managed by WorkOS. SAML SSO and TOTP MFA are available; SCIM provisioning on Enterprise.
• Role-based access control. Edits are gated by role (planner, master_user, it_admin). Lock semantics prevent unauthorized changes to closed planning periods.
• Audit logging. Every state-changing action — forecast regenerate, override, suppression — is recorded in an append-only audit log with user, timestamp, and before/after values.
• Tenant isolation. All queries are scoped by tenant_id at the database layer. Postgres Row Level Security is enabled on all public tables.

• Hosting. Application tier on Vercel; backend API on Render (ap-southeast-1, Singapore region).
• Database. Managed Postgres on Supabase with point-in-time recovery, daily snapshots, and TLS-only connections.
• Region. Primary processing in Singapore (ap-southeast-1). Cross-region replication available on Enterprise.
• Vendor due diligence. All sub-processors are vetted and bound by data processing agreements before they touch customer data.

• Production access is restricted to a small number of engineers, gated by SSO and MFA, and granted on a least-privilege basis.
• Direct production database access requires named, time-bounded credentials and is logged.
• Direct dashboard SQL edits to production are forbidden; all schema changes ship through reviewed migration files.
• Hardware: company-managed laptops with full-disk encryption and endpoint protection.

• All code is peer-reviewed before merge to main. Direct pushes to main are restricted to repository administrators via GitHub branch protection rules.
• Static type checking, linting, and automated tests run on every change.
• Dependencies are monitored for known vulnerabilities; security advisories are triaged within one business day.
• Secrets are never committed to source control; environment variables are managed via vendor-provided secret stores.

• Continuous WAL-based replication plus automated daily snapshots, retained for 30 days.
• Point-in-time recovery available within the retention window.
• Recovery procedures are documented and rehearsed.
• Recovery objectives — RPO ≤ 1 hour, RTO ≤ 4 hours — for paid plans.

• Security incidents are triaged 24/7 by on-call engineering.
• Customers affected by a security incident will be notified without undue delay, in accordance with applicable law and your contract.
• Post-incident reviews are conducted to identify root causes and prevent recurrence.

Suspected security issue? Email security@sharpr.ai — we respond to all reports within one business day.

• Customer data is processed only to deliver the Service. We do not sell it and we do not use it to train third-party AI models.
• The in-product Morpheus assistant uses Anthropic's API. Prompts are configured so they are not used to train Anthropic's models.
• De-identified, aggregated metrics may be used to improve the Service.

• SOC 2 Type II — in progress. Targeted before any Phase 4 (financial-impact) features ship.
• GDPR — we honor data subject rights described in our Privacy Policy; Standard Contractual Clauses for international transfers where required.
• CCPA / CPRA — California residents have the rights described in our Privacy Policy.

We are happy to walk prospective customers through our current security posture under NDA — including which compliance items are complete, in progress, or planned.

We welcome reports from security researchers. Please email security@sharpr.ai with a description of the issue and reproduction steps. Do not perform automated scanning or testing against production without prior written agreement.

We will acknowledge receipt within one business day, work in good faith to resolve the issue promptly, and credit responsible disclosures where you'd like.