Reference
Security Posture
How the platform protects regulated data — encryption at rest and in transit, authentication and access controls, the live threat model, the compliance frameworks the platform is built against, and the program that catches and triages vulnerabilities. Companion to /privacy.
Encryption
AES-256-GCM + TLS 1.3
Access layers
3
Frameworks
6
Encryption
Access Controls
Threat Model
Each row names a concrete adverse event the platform defends against, the realistic attack vector, and the layered mitigation that makes the threat acceptably small.
| Threat | Vector | Mitigation | Level |
|---|---|---|---|
| Agent attempts to write directly to a live cro.* table | Mis-routed Drizzle insert from an agent worker | Blocked at packages/policy/governor.ts before any DB call; all agent writes funnelled through the staging-only path. RLS on live tables denies the agent service role. | high |
| Replay of a captured Part 11 e-signature | Stolen session cookie or replayed POST to /esign | Re-auth challenge inside the signature flow + per-signature nonce + immutable row with monotonic created_at. Replay produces a duplicate-nonce violation. | high |
| Indirect prompt injection from sponsor-supplied protocol text | Hostile content in an uploaded document instructing an agent to bypass review | A2 autonomy class: every agent output staged and human-signed. Citation grounding via packages/citations rejects ungrounded claims. A4 fully-autonomous mode is architecturally prohibited. | medium |
| PHI/PII leaking into application or model-call logs | Verbose error trace or unredacted prompt sent to Anthropic | Structured logger redacts known PHI fields by allow-list. Prompts assembled from minimised projections only; subject identifiers are tokenised before leaving the trust boundary. | medium |
| Compromised npm dependency executing at build or runtime | Typosquat or compromised maintainer publishing a malicious version | pnpm lockfile pinned, dependabot weekly, npm audit in CI, scoped GitHub Actions tokens, no postinstall scripts permitted in production deploys. | medium |
| New table shipped without an RLS policy | Developer forgets to add a policy alongside a CREATE TABLE migration | Supabase advisors run in CI via the MCP get_advisors call; deny-by-default default policy on every new cro.* schema table; security-review auto-requested on any packages/schema diff. | low |
| Insecure direct object reference in sponsor portal | Sponsor A guessing sponsor B request ID | Every sponsor query scoped by auth.uid() in the RLS policy on cro.sponsor_request; the route handler never trusts the URL parameter alone. | low |
| Tampering with provenance or audit rows | Privileged operator attempting to rewrite history | provenance_event and signature tables are append-only; UPDATE/DELETE blocked by trigger and by RLS. Daily integrity export hashed and archived off-site. | low |
Compliance Frameworks
Each chip names a regime the platform is designed to satisfy. SOC 2 is in flight; the others are continuously evidenced through the audit spine.
Vulnerability Program
Dependabot weekly + npm audit on every CI run + Supabase advisors on every migration. Critical CVEs patched within 24 hours, high within 7 days, medium within 30. Annual third-party penetration test (next: 2026-Q4). Public security contact: security@cro.example.
Incident Response
On-call rotation acknowledges within 15 minutes for sev-1. Runbook in docs/runbooks/incident.md: contain → preserve evidence → notify affected sponsors within 24 hours → post-mortem within 5 business days. Regulated incidents (PHI exposure, signature integrity) trigger immediate Quality notification and HIPAA breach assessment.
Last Security Review
2026-05-22 — full posture review performed by the Security & Quality joint working group.