OutpostGet started

Trust Center

Security and privacy controls implemented in the product. Certifications requiring an external auditor (SOC 2, ISO 27001, CASA, HIPAA BAA) are in progress and not claimed as complete.

Tenant isolation

Deny-by-default Postgres RLS on every workspace-owned table; cross-tenant reads are impossible and foreign IDs 404.

Encryption

AES-256-GCM for provider tokens & IMAP passwords (per-workspace AAD); scrypt for passwords; only hashes of session/API tokens stored.

Audit

Hash-chained, append-only audit log with a tamper-verification endpoint.

AI privacy

PII/PCI redacted before any provider call; only a prompt fingerprint is logged, never the raw prompt.

DSR (GDPR/CCPA)

Verified export & erasure with admin review, a 30-day SLA, deletion logs, and legal-hold precedence.

Retention

Per-data-class retention rules; legal holds take precedence; audit is never deleted.

Data residency

Pinned per workspace; changes require admin re-consent.