Trust & Security
How we protect your data, isolate your tenants, and ensure your audit trail cannot be tampered with.
Security Architecture
Browser
CSP enforced, no unsafe-eval in production, HTTPS only
Application
Next.js server actions, RBAC middleware, rate limiting, Sentry monitoring
Database
Row-Level Security on every table, tenant isolation enforced at query level
Authentication
Supabase Auth with JWT tokens. Session management handled server-side. No credentials stored in application code.
Authorization
24 granular permissions across 5 role tiers. Checked at both application layer and database layer (defense in depth).
Tenant Isolation
Every database query is filtered by tenant ID through PostgreSQL Row-Level Security policies. User A cannot read, write, or even detect Tenant B's data. This is enforced at the database engine level, not application code.
Audit Log Immutability
Once written, audit log entries cannot be modified or deleted. This is enforced by database-level policies and triggers that reject UPDATE and DELETE operations. Even database administrators with elevated privileges trigger the immutability guard.
Content Security Policy
Production deployments enforce strict CSP headers: no unsafe-eval, no unsafe-inline for scripts, frame-ancestors set to none. This prevents XSS attacks and clickjacking.
Data Residency
Your data resides in the Supabase region you select during setup. Reliatic does not replicate data across regions. Backups are managed by Supabase with point-in-time recovery.
Incident Response
Acknowledgement: Within 24 hours
Security issues reported to our team are acknowledged within one business day.
Critical vulnerabilities: Patched within 72 hours
Issues that could lead to data exposure or tenant isolation bypass are treated as P0 and patched immediately.
Contact: security@reliatic.com
Report security concerns directly. We do not have a bug bounty program at this time.
Compliance Positioning
Reliatic is designed to support compliance with the standards below. We do not claim certification or replace professional assessments.
| Standard | What Reliatic Supports | What It Does NOT Do |
|---|---|---|
| API 580 / 581 | Risk ranking documentation, inspection scheduling evidence, approval workflows for RBI program decisions | Does not replace a certified RBI study or qualified RBI analyst |
| ISO 55000 | Decision traceability, asset register governance, review cadence enforcement | Is not an asset management system or financial planning tool |
| ISO 31000 | Risk identification records, risk acceptance workflows with justification, review scheduling | Does not perform risk quantification or Monte Carlo simulation |
| IEC 60812 | FMEA worksheets with S/O/D scoring, RPN calculation, action tracking | Does not perform reliability modeling or predict failure rates |
| NORSOK Z-008 | Risk acceptance documentation, review trails, escalation records | Does not provide operational control system integration |
What We Explicitly Do NOT Claim
Transparency builds trust. Here is what Reliatic is not.
We are not SOC 2 certified (yet). We follow SOC 2-aligned practices but have not completed a formal audit.
We do not replace qualified engineers. Reliatic is a governance tool, not an engineering calculation engine.
We do not guarantee regulatory compliance. We provide the evidence trail — your organization owns the compliance program.
We do not offer on-premise deployment. Reliatic is cloud-only, hosted on Supabase infrastructure.
We do not store or process payment card data. Billing is managed internally with no card data retained.
We do not provide uptime SLAs on the Starter plan. Enterprise customers receive contractual SLAs.