Security

Built so your data stays yours.

Architecture, encryption, access control, monitoring, and the operating habits that protect your context.

Effective: May 13, 2026Last updated: May 13, 2026
01

Overview

Genible holds the context of how your business runs — entities, relationships, signals, decisions. The platform is built so that context stays scoped to your workspace, encrypted at rest, accessible only to the people you authorize, and recoverable in case of an incident. This page summarizes our security posture.

02

Architecture & isolation

  • Public-facing Edge API. Browsers and webhooks only talk to an authenticated Edge API. The Edge layer enforces auth, rate limits, and request shape.
  • Internal-only Core API. The Core API — which holds the service-role database key — is never exposed to the public internet. Edge → Core traffic is gated by an internal shared secret.
  • Multi-tenant isolation. Every multi-tenant table is protected by workspace-scoped Row-Level Security in PostgreSQL. Cross-workspace data access is structurally impossible.
  • Separation of duties. Frontends never touch the database directly. The browser cannot reach the service-role key under any code path.
03

Encryption

  • In transit. All traffic to genible.com and our APIs is served over TLS 1.2+ with modern cipher suites.
  • At rest. All databases use disk-level encryption. OAuth tokens, API keys, and integration credentials are additionally encrypted at the application layer with AES-256-GCM before being written to the database; decryption happens only inside the Core API at the moment of use.
  • Backups. Database backups are encrypted at rest and stored in a separate region.
04

Authentication & access control

  • Authentication. Email-and-password with strong hashing, plus OAuth via supported identity providers. SSO (SAML/OIDC) available on enterprise plans.
  • RBAC. Organization roles (owner, admin, member), workspace roles, and custom roles with fine-grained permissions on entity types, integrations, and workflows.
  • Row-level security. Database-level policies prevent any code path from reading or writing across workspaces.
  • Per-org LLM budgets. Every LLM call is logged, costed, and counted against a daily token budget — a runaway prompt cannot generate a surprise bill.
05

Data handling

  • You own your data. Customer Data is yours. We act as a data processor.
  • No training on your data. Workspace content is never used to train shared, public, or third-party models.
  • Zero-retention LLM agreements. Where the underlying model provider supports it, we route through zero-retention API endpoints so prompts and outputs are not retained by the provider.
  • Data residency. Production data is hosted in vetted cloud regions. Enterprise plans can request specific regions.
  • Export & disconnect. You can disconnect any integration at any time and export everything Genible holds about your workspace in a structured form.
06

Logging, monitoring & audit

  • Audit logs. Every action that touches sensitive data — credential decryption, permission changes, integration calls, exports, data deletions — is logged with actor, timestamp, and target. Audit logs are tamper-evident and retained per your plan.
  • Application monitoring. Latency, error rates, and security-relevant events are streamed to our observability stack.
  • Alerting. Anomalies (unusual auth patterns, sudden permission changes, integration tampering) trigger on-call alerts.
07

Infrastructure & operations

  • Hosting. We host on Cloudflare (edge), AWS / GCP (compute and storage), and Supabase (managed Postgres). All vendors operate SOC 2–certified data centers.
  • Patching. OS and runtime dependencies are tracked and patched on a routine schedule, with emergency patches for critical CVEs.
  • Backups. Automated daily backups; point-in-time recovery available for production databases.
  • Disaster recovery. Cross-region failover is exercised periodically.
08

Vulnerability disclosure

If you believe you have found a security vulnerability, please report it to security@genible.com with steps to reproduce. We commit to:

  • Acknowledge your report within 3 business days.
  • Provide a triage update within 10 business days.
  • Work with you in good faith and not pursue legal action against researchers who follow responsible disclosure (no privacy violations, no service degradation, no destruction of data, only your own test accounts).
09

Compliance

Genible is built to align with the requirements of common compliance frameworks. We can provide:

  • A copy of our security architecture overview.
  • A vendor security questionnaire response.
  • A Data Processing Addendum (DPA) including Standard Contractual Clauses for GDPR transfers.

For specific certifications (SOC 2 Type II, ISO 27001, HIPAA), data-residency requirements, or to receive any of the documents above, email security@genible.com.

10

People & processes

  • Background checks on employees with production access.
  • Mandatory MFA for all staff accounts on internal tools.
  • Least-privilege access — production access is granted only to engineers who need it, audited quarterly.
  • Security training on onboarding and annually thereafter.
  • Documented incident-response runbook with defined severity levels and customer-notification thresholds.
11

Data deletion

You can delete records, disconnect integrations, or close your account at any time. See Data Deletion Instructions for the full process and timelines.