Trust · last updated June 2026
How we protect your data.
Embrasure is a data agent that reads from your warehouse with credentials you control. We isolate each customer at the database row level, log every administrative action, and keep the list of sub-processors small. This page is the short version. DPA, sub-processor list, and our most recent pen-test summary are available under NDA — email security@embrasure.ai.
01
Architecture
Embrasure is multi-tenant SaaS hosted on AWS ECS/Fargate in `us-east-1`, with Supabase (US-East) as the system of record. Every table that holds workspace data enforces Postgres row-level security tied to the authenticated workspace member. There is no application code path that can bypass it.
The data agent connects to your warehouse using credentials you provide and executes read-only SQL by default. Mutating operations are opt-in per connector and require an approval policy.
We do not copy warehouse data into Embrasure. We persist only column metadata (the catalog), semantic definitions, query plans, and the rows returned to a chat session — which are bounded by per-workspace row limits.
02
Encryption
| In transit | TLS 1.2+ everywhere. HSTS enabled on the apex domain. |
|---|---|
| At rest | AES-256 on Supabase Postgres and storage; AWS-managed disk encryption. |
| Connector creds | Encrypted at the column level with workspace-scoped keys before persistence. |
| Backups | Supabase daily snapshots, 7-day point-in-time recovery. |
03
Access controls
Workspaces have six roles — owner, admin, security_admin, billing_admin, editor, viewer — enforced both in the application and via Postgres RLS policies.
Workspace admins can require SSO (SAML or OIDC) for their email domain, restrict allowed email domains, and set session timeout. Admins can issue scoped personal access tokens for programmatic access and revoke them from the console.
Column-level sensitivity labels (public / internal / confidential / restricted) and masking strategies (null / redact / hash / last4) are enforced by the agent's query layer before results leave the warehouse.
04
Audit logging
Every workspace administrative action — invite, role change, settings update, identity provider change, data policy edit — is recorded with actor, target, timestamp, and metadata. Admins can search, filter, and export the full log as CSV from the console.
05
Sub-processors
| AWS | Application hosting, load balancing, container runtime, logs, and secrets. US-East. |
|---|---|
| Supabase | Managed Postgres, auth, storage. US-East. |
| Anthropic | LLM inference for agent workflows. Zero data retention configured where supported. |
| OpenAI | Embeddings and optional LLM inference when a workspace selects an OpenAI model. Zero data retention configured where supported. |
| Resend | Transactional email (invites, alerts). |
We notify customers at least 30 days before adding a new sub-processor that processes customer data.
06
Compliance
| SOC 2 Type I | In progress. Letter of engagement available under NDA on request. |
|---|---|
| SOC 2 Type II | Targeted within 12 months of Type I completion. |
| GDPR | DPA available before signature. EU data subject rights honored. |
| HIPAA | Not currently in scope. Email us if it’s a hard requirement. |
| Data residency | US-East today. EU region available on enterprise plans. |
07
Operational practices
- Mandatory MFA on every employee account that touches production.
- Least-privilege production access through a single SSO identity provider.
- All production changes ship through reviewed, CI-gated pull requests.
- Dependency vulnerability scanning runs on every push.
- Annual third-party penetration test. Summary available under NDA.
08
Report a vulnerability
Email security@embrasure.ai with a description, reproduction steps, and impact. We acknowledge within one business day and aim to resolve confirmed reports within 30 days. We credit reporters by request.
Machine-readable contact: /.well-known/security.txt