Current control summary
| Control area | Current implementation |
|---|---|
| Transport security | HTTPS is enforced for the public domain through Cloudflare and Railway. Data sent between a browser and the production application is protected with TLS. |
| Storage encryption | Application data is stored in Railway PostgreSQL and a Railway Volume. Railway states that customer project data is encrypted at rest. EdgePoint does not currently apply separate application-level encryption to each database field or uploaded file. |
| Authentication | Better Auth provides password and optional OAuth authentication, signed session cookies, session expiration, origin checks, and password hashing. Sessions are configured to expire after 30 days. |
| Authorization | Protected pages and API routes verify the current session. File and analysis endpoints scope records to the authenticated user, with organization roles and a restricted administrative allowlist for administrative functions. |
| File access | Uploaded files are not exposed through public object URLs. Authorized downloads stream through authenticated application endpoints. |
| AI processing | OpenRouter requests enforce zero-data-retention routing and deny providers that collect request content. |
| Backups and resilience | Production persistence uses Railway-managed infrastructure and a mounted volume. Recovery capabilities depend on the active Railway plan and configured provider features. |
What we do not claim
EdgePoint Strategy does not currently represent this platform as SOC 2 Type II certified. The customer interface does not currently provide a formal customer-facing audit log or continuous vulnerability-monitoring product. Security descriptions are intended to match implemented controls and will be revised when those controls change.
Operational security
- Secrets are supplied through production environment variables rather than committed to application source.
- Database access uses the production connection configured for the application service.
- Private application routes are excluded from public search discovery and require route-level authorization.
- Dependencies are reviewed for known vulnerabilities and upgraded based on exploitability, compatibility, and production impact.
- Errors and infrastructure logs are used for troubleshooting and security response. This operational logging is not a customer audit-log feature.
Customer responsibilities
Customers should manage user access, use unique credentials, remove access when roles change, classify documents before upload, submit only authorized content, review AI outputs, and notify EdgePoint promptly about suspected unauthorized activity.
Report a security concern
Send suspected vulnerabilities or security incidents to [email protected] with enough detail to reproduce or investigate the issue. Do not access, alter, or retain data that is not yours while testing a suspected vulnerability.
Assurance and limitations
No system can guarantee absolute security. This overview is not a certification, audit opinion, warranty, or substitute for customer due diligence. Customers with specific contractual or regulatory requirements should request a scoped security review before using the platform for regulated data.