CUSTOMER SECURITY REVIEWThis page is provided for customer due diligence. Control mappings are informational, certifications are not claimed unless explicitly stated in a signed report.

Security Center

Security posture, controls, and evidence for SecurePoint USA. Built for defense, aerospace, and regulated facilities.

1. Security at a Glance

What we protect

  • Visitor PII, ID images (DL, passport, gov IDs), badge photos
  • Screening decisions, adjudication records, audit logs
  • Site and organization access controls

Core security principles

  • Tenant isolation enforced at the database layer (RLS)
  • Zero-trust client architecture with no exposed secrets
  • Immutable audit logging via database triggers
  • Encryption in transit (TLS) and at rest (Provider Managed)
Status: Controlled BetaSOC 2 Controls MappedCMMC L2 MappedITAR/EAR Support Ready

2. Architecture & Trust Boundaries

Client BrowserTrust Boundary: EdgeAPI RoutesMiddlewareSupabase (Postgres)RLS EnforcedPrivate StorageSigned URLs OnlyTLS / HTTPS

Architecture Stack

Client Browser → Vercel Edge and API Routes → Supabase Postgres (RLS)

Private Storage Buckets for IDs, photos, evidence, exports.

Trust Boundaries

  • Client ↔ Edge: TLS 1.2+ enforced, secure cookies
  • Edge ↔ Database: Authenticated service connections, RLS enforced
  • Edge ↔ Storage: Private buckets, signed URL access only

3. Multi-Tenant Data Isolation

Database-Enforced RLS

All tenant data is strictly scoped by organization_id columns. Row-Level Security (RLS) policies enforce access control at the database engine level, ensuring data isolation even if application logic fails.

SELECT * FROM logsRLS PolicyWHERE
org_id = current()idorg_iddata1org_A...2org_YOUSecure Payload3org_B...

What this means

  • Cross-tenant reads are blocked by database policy
  • Cross-tenant writes are blocked by database policy
  • Policy violations act as a fail-safe against application bugs

Support Access

Super-admin support actions are audit-logged and restricted. We do not access customer data without explicit authorization or incident context.

4. Identity & Access Management

Authentication & Authorization

AuthenticationSupabase Auth (GoTrue). MFA available. SSO available via Azure AD (Microsoft) OAuth.
AuthorizationRole-Based Access Control (RBAC) enforced via `user_roles` tables and RLS policies.

Session Security

  • Cookie Protection: HttpOnly, Secure, SameSite enforced.
  • Session Timeout: Configurable per organization.
  • Account Lockout: Enforced policy against brute force attempts.

5. Data Protection & Encryption

In TransitTLS 1.2+At RestAES-256(Provider Managed)RetentionConfigurableper OrgHard Delete on Expiry

Encryption

Time-of-transit encryption via TLS 1.2+. At-rest encryption managed by cloud provider (Supabase/AWS).

Signed URLs

Short-lived, time-bounded signed URLs for all asset access. No public buckets.

Retention

Audit logs retained up to 10 years (plan-dependent: 1y Starter, 5y Defense, 10y Enterprise). Configurable retention for sensitive images.

6. Audit Logging & Immutability

Audit logs are append-only. Database triggers strictly block `UPDATE` and `DELETE` operations on the `audit_logs` table to ensure chain of custody.

User LoginT=0Visitor Check-inT=1UPDATE BLOCKEDT=2

What we log

  • Auth events (login, logout, lockout)
  • Visitor operations (check-in/out, status change)
  • Compliance decisions (adjudication, screening hits)
  • System events (config changes, exports)

Correction Model

Audit history is never rewritten. Data corrections are recorded as new insert events, preserving the full history.

7. CMMC / ITAR-EAR Control Alignment

SecurePoint USA includes features designed to support defense and aerospace facilities operating under CMMC 2.0, NIST 800-171, and ITAR/EAR export controls.

CMMC L2 Control Mapping

CMMC ControlFeature Mapping
AU.L2-3.3.1Immutable audit logs with database triggers
AU.L2-3.3.2Actor, action, target, metadata, timestamp in all logs
AC.L2-3.1.1RBAC with organization-scoped roles
AC.L2-3.1.2Rate limiting on sensitive endpoints
IA.L2-3.5.3Session timeouts, account lockout policies
SC.L2-3.13.1RLS database isolation, encryption at rest
PE.L2-3.10.1Visitor screening with export controls workflow

ITAR/EAR Workflow Support

  • Sanctions screening (OFAC, BIS, DDTC) for visitor access
  • US Person attestation workflow
  • Export-controlled zone access decisions (audited)
  • Denial/Debarment checks recorded

PE Evidence Pack

Download our CMMC Level 2 Physical Security (PE) evidence checklist designed for third-party assessments.

Download CMMC PE Checklist

8. API Security & Validation

Schema Validation

Strict Zod validation on all API inputs to prevent injection and malformed data.

Rate Limiting

Protection on sensitive endpoints (auth, check-in, messages) to prevent abuse and DoS.

9. Operational Security

Detailed Monitoring

Error events and performance metrics are logged with organization context. Alerts configured for security anomalies.

Backups & Disaster Recovery

Continuous backups with Point-in-Time Recovery. Documented Business Continuity and Incident Response plans.

10. Downloads & Evidence

Files

Access our consolidated vendor security packet. This document contains our architecture, controls, and compliance mapping.

Security Overview

Plain-English overview for IT leadership.

Download PDF

Security Control Matrix

Mapping to NIST 800-53, 800-171, and SOC 2.

Download PDF

Security Evidence Map

Claim-to-evidence traceability: paths, tests.

Download PDF

Subprocessors

Hosting and service providers list.

Download PDF

11. IT & Compliance FAQ

Security Contact

security@securepointusa.com

For questionnaires, due diligence, and IT review scheduling.