Multi-tenant isolation is architectural. Encryption is default. Every access event is immutably logged. Here is everything your procurement team needs.
Controller–Processor agreement covering GDPR Article 28 and US state privacy law. Includes sub-processor table, breach notification (72hr), data residency, audit rights, and deletion procedures.
Uptime commitments (99.5%–99.9% by tier), service credit schedule, P1–P4 support response times, scheduled maintenance windows, and backup/recovery objectives.
Architecture, access controls, audit logging, incident response procedure, vulnerability management, and compliance roadmap. For procurement security questionnaires.
Row-Level Security enforced at the database layer. Every query is scoped to the authenticated tenant's org_id — cross-tenant data access is architecturally impossible, not just policy.
AES-256 encryption at rest via Supabase managed PostgreSQL on AWS. TLS 1.3 in transit across all connections. API keys stored as encrypted environment variables — never in source code.
Every create, update, delete, and export event is recorded with user ID, org ID, action type, affected record, timestamp, and IP address. Append-only — no user or administrator can modify it.
All customer data is stored and processed exclusively within the United States on Supabase infrastructure hosted on AWS US-East. No data transfers outside the US under any circumstances.
No self-registration. Every user account requires an authorised invite token generated by a platform administrator. Session timeout enforced. RBAC with five permission levels enforced at DB layer.
All traffic routed via Cloudflare with DDoS protection, WAF, and Bot Fight Mode enabled. API proxy ensures all upstream service credentials are never exposed to the client browser.
| Standard | Status | Target |
|---|---|---|
| Data Processing Agreement | ● Available now | Immediate |
| Service Level Agreement | ● Available now | Immediate |
| Security Overview | ● Available now | Immediate |
| Cyber Insurance | ◑ Evaluation in progress | Q3 2026 |
| SOC 2 Type I | ◑ Controls implemented, audit prep in progress | Q2 2027 |
| SOC 2 Type II | ○ Observation period begins Q1 2027 | Q4 2027 |
| ISO 27001 | ○ Planned post-Series A | TBD |
Customers requiring SOC 2 Type II for immediate procurement can request a detailed security questionnaire response. We work directly with your security team to address specific requirements. Contact security@pallis.ai →
Report suspected vulnerabilities, active security incidents, or request penetration test results.
Data subject requests, DPA execution, privacy impact assessments, and CCPA/GDPR inquiries.
MSA review, Order Form execution, procurement questionnaires, and contract amendments.
Request platform access, Founding Cohort applications, and general onboarding inquiries.