Security & Trust
Built for human-reviewed knowledge capture.
DebriefCore is designed around human-reviewed knowledge, secure access, organization-level data isolation, draft-until-approved outputs, and a roadmap toward recognized security, privacy, and safety best practices.
- Status
- Production
- Model
- Human-reviewed, draft-until-approved
- Access
- Authenticated workspace access
- Data
- Organization-scoped controls
- Claims
- Roadmap, not certification
Operational status
Roadmap — Not CertificationTrust summary · built toward recognized best practices, not a certification.
What is in place today.
Practical safeguards that are live in the product right now — described plainly, with no hype.
Human Review First
Every generated output stays a draft until a qualified person reviews and approves it. DebriefCore does not auto-approve outputs, certify readiness, or replace instructor judgment, mechanic authority, or official procedures.
Organization-Level Data Isolation
Organization-scoped access controls mean each workspace can only reach its own captures, outputs, knowledge articles, and Context Packs. Row Level Security is enforced at the database layer.
Secure Authentication
Real workspaces require authenticated access. Anonymous visitors can explore demo content, but they cannot generate real outputs or write production data.
Draft-Only Generation Guardrails
DebriefCore organizes a debrief into structured drafts from user-provided information. By design it must not invent facts, claim official compliance, auto-approve content, or bypass human review.
Safety-critical boundaries
DebriefCore supports documentation, debriefing, training continuity, and knowledge capture. It does not replace FAA requirements, airline/operator procedures, SMS/ASAP programs, official training records, instructor judgment, mechanic authority, or qualified human decision-making.
Standards alignment roadmap
DebriefCore is being built toward recognized domestic and international security, privacy, and safety best practices. Formal compliance or certification requires future audits, policies, legal review, and security review.
NIST Cybersecurity Framework
Mapped as our risk-management baseline across Govern, Identify, Protect, Detect, Respond, and Recover.
ISO/IEC 27001 readiness
Future information-security-management-system alignment. Not certified.
SOC 2 readiness
Working toward the Trust Services Criteria. Not audited.
GDPR & international privacy readiness
Privacy controls and documentation in progress. Legal review required before any compliance claim.
OWASP web application security
Used as the secure-development baseline for access control, injection defense, and input validation.
FAA SMS-style safety-learning alignment
Supports standardized debriefs and safety-learning workflows. Does not replace official systems.
Data privacy roadmap
Privacy work on our roadmap. These items are not yet available — they are tracked here honestly, not implied.
- Data exportPlanned
- Data deletionPlanned
- Retention controlsPlanned
- Subprocessor listPlanned
- Regional data considerationsPlanned
- Multilingual privacy noticesPlanned
- Independent legal reviewNeeds Legal Review
What DebriefCore does not claim
Being clear about what we are not is part of being trustworthy. DebriefCore makes none of the following claims.
- Not SOC 2 audited
- Not ISO/IEC 27001 certified
- Not GDPR legally reviewed as compliant
- Not HIPAA-ready for PHI
- Not FAA-approved
- Does not replace official safety, training, or maintenance systems
- Does not auto-approve AI-generated outputs
Security questions or responsible disclosure
For security or trust questions, contact hello@debriefcore.com. Please do not send passwords, secrets, private keys, or sensitive regulated data by email.