Trust

Updated July 2026

How we protect your data.

Embrasure is a data agent that reads from your warehouse with credentials you control. We isolate each customer at the database row level, log every administrative action, and keep the list of sub-processors small. This page is the short version. DPA, sub-processor list, and our most recent pen-test summary are available under NDA; email security@embrasure.ai.

01

Architecture

Embrasure is multi-tenant SaaS hosted on AWS ECS/Fargate in `us-east-1`, with Supabase (US-East) as the system of record. Every table that holds workspace data enforces Postgres row-level security tied to the authenticated workspace member. There is no application code path that can bypass it.

The data agent connects to your warehouse using credentials you provide and executes read-only SQL by default. Mutating operations are opt-in per connector and require an approval policy.

We do not copy warehouse data into Embrasure. We persist only column metadata (the catalog), semantic definitions, query plans, and the rows returned to a chat session, which are bounded by per-workspace row limits.

02

Encryption

In transitTLS 1.2+ everywhere. HSTS enabled on the apex domain.
At restAES-256 on Supabase Postgres and storage; AWS-managed disk encryption.
Connector credsEncrypted at the column level with workspace-scoped keys before persistence.
BackupsSupabase daily snapshots, 7-day point-in-time recovery.

03

Access controls

Workspaces have six roles (owner, admin, security_admin, billing_admin, editor, viewer), enforced both in the application and via Postgres RLS policies.

Email/password accounts require a verified authenticator-app code. Workspace admins can restrict allowed email domains, configure SAML SSO, require company sign-in, and set a maximum session length.

Company SSO sessions rely on the customer's identity provider for MFA. Required-SSO workspaces reject password-only browser and API sessions; personal access tokens cannot bypass the policy.

SCIM 2.0 and Google Workspace directory sync manage membership and roles. Workspace authentication policy is enforced at protected web routes, the API, and Postgres row policies. Setup guidance is available in the identity and sign-in guide.

Column-level sensitivity labels (public / internal / confidential / restricted) and masking strategies (null / redact / hash / last4) are enforced by the agent's query layer before results leave the warehouse.

04

Audit logging

Every workspace administrative action (invite, role change, settings update, identity provider change, data policy edit) is recorded with actor, target, timestamp, and metadata. Admins can search, filter, and export the full log as CSV from the console.

05

Sub-processors

AWSApplication hosting, load balancing, container runtime, logs, secrets, transactional email, and Bedrock inference. US-East.
SupabaseManaged Postgres, auth, storage. US-East.
OpenRouterText inference routing for agent workflows. Zero data retention configured where supported.
OpenAIEmbeddings for semantic search and memory retrieval. Zero data retention configured where supported.

We notify customers at least 30 days before adding a new sub-processor that processes customer data.

06

Compliance

SOC 2 Type 2In progress. Letter of engagement available under NDA on request.
GDPRDPA available before signature. EU data subject rights honored.
HIPAANot currently in scope. Email us if it’s a hard requirement.
Data residencyUS-East today. EU region available on enterprise plans.

07

Operational practices

  • Mandatory MFA on every employee account that touches production.
  • Least-privilege production access through a single SSO identity provider.
  • All production changes ship through reviewed, CI-gated pull requests.
  • Deploys run through OIDC-authenticated GitHub Actions to AWS ECS, with post-deploy smoke checks. Pipeline detail is available under NDA.
  • Dependency vulnerability scanning runs on every push.
  • Annual third-party penetration test. Summary available under NDA.

08

Report a vulnerability

Email security@embrasure.ai with a description, reproduction steps, and impact. We acknowledge within one business day and aim to resolve confirmed reports within 30 days. We credit reporters by request.

Machine-readable contact: /.well-known/security.txt

Anonymous or confidential security, privacy, compliance, and ethics reports can be sent through the reporting channel.