Trust & Security

Built so it can be trusted with the work.

Poggle stores your knowledge — and increasingly, your AI's. Here's how that data is protected, who can read what, and the controls available to you and your team.

Eight pillars

The same plumbing your security team would build, already wired.

Each pillar below is real — not aspirational. Click through to the feature pages or the docs to see the actual surfaces and APIs.

Data isolation
Every row is scoped to a workspace. Postgres row-level security policies enforce that scope at the database — not just at the application layer — so a bug in app code can't accidentally leak data across tenants.
  • Row-level security (RLS) on every table that holds tenant data
  • Workspace boundary enforced in policies, services, and the audit log
  • Per-request workspace context derived from the auth session, never the URL
  • Admin-only operations re-verified server-side on every action
Authentication
Email + password is the floor, not the ceiling. Passkeys (WebAuthn) sign you in without ever sending a password to the wire, and OAuth 2.1 with PKCE is the default for any third-party app touching your workspace.
  • WebAuthn / FIDO2 passkeys for passwordless sign-in
  • OAuth 2.1 with PKCE — no implicit flow, no client-secret-in-browser
  • Custom-scope grants so apps see only what you let them see
  • Refresh-token rotation; one-shot authorization codes; 1-hour access tokens
API & developer keys
Issue narrow keys for narrow jobs. Every connection has a permission mode, every OAuth client has explicit scopes, and every key can be revoked instantly — no waiting for a token to expire.
  • Per-connection permission modes: read-only, write-with-approval, full
  • Operator API keys are user-scoped and revocable from settings
  • OAuth client secrets shown exactly once at registration
  • Legacy csk_v1_ tokens have a guided migration path
Audit log
Every meaningful change is recorded — note edits, lifecycle changes, AI-driven writes, exports. The log is append-only and visible to admins inside the product.
  • Append-only event stream for every workspace-level action
  • Machine writes vs human writes are distinguished and traceable
  • Bundle exports, branch promotions, and consent revocations all logged
  • Per-event metadata captures actor, scope, and outcome
Branch-aware writes
AI writes — and humans editing alongside an agent — land on a branch first. You review the diff, accept or veto, and only then does main change. Promotion gates can wire the decision through your CI.
  • Every AI proposal is a branch with full version history
  • Optional webhook gates run before promotion, can veto
  • Branch retention policy auto-warns and discards idle drafts
  • Promoted-to-main history is immutable
Encryption & infrastructure
Data is encrypted at rest in the database and in transit over TLS. Secrets live in environment-isolated stores; we never bake credentials into builds.
  • TLS 1.2+ on every public endpoint
  • Database encryption at rest provided by Supabase / Postgres
  • Object storage (attachments, exports) encrypted at rest
  • Sentry client/edge/server captures errors with PII scrubbing
Network & rate-limiting
Public endpoints are rate-limited at the edge with Upstash; abuse and runaway loops can't take a workspace down. Webhooks and exports run as workers, off the request path.
  • Upstash Redis rate-limit on auth, OAuth, and write paths
  • Cloudflare Workers handle bundle export + diff jobs
  • Inngest schedules retries, retention sweeps, and embedding refreshes
  • Webhook deliveries are signed and replay-safe
Portability & ownership
If you ever leave, you leave with your data. Every box, folder, note, file, skill, and agent exports as plain markdown plus a JSON manifest — and import is the reverse, with full collision handling.
  • Workspace-level export / import (admin-only, downloadable as zip)
  • Plain markdown bodies; YAML frontmatter for metadata
  • Version history rides along in the manifest
  • Cancel anytime; exports remain valid after cancellation

Compliance roadmap

Where we are, and what's next.

GDPR — Live

Data export and account deletion are first-class. EU customers can ask for a portable copy or full erasure at any time.

CCPA — Live

California customers can request the same export and deletion controls.

SOC 2 Type II — In progress

Pre-audit phase. Controls inventory, access reviews, and incident response are documented; an external auditor begins observation in the next quarter.

ISO 27001 — Planned

Scoped for the year following SOC 2 Type II. Customer-driven; happy to share the roadmap on request.

HIPAA — Planned (regulated tier)

Available as a separate enterprise tier when there's named demand. BAAs are not in scope on the standard plan.

EU data residency — Planned

Region pinning for EU customers via a dedicated database region. Contact us if this is a blocker today.

Need a security review?

We send a SIG-Lite, our DPA, and the architecture diagrams on request. Most reviews close inside a week.

Email trust@poggle.appRead the privacy policy →