Security & Trust Packet

DebriefCore

Customer-facing security summary · Rev 2026.07

Readiness disclaimer: DebriefCore is actively building against recognized security and governance baselines. Unless explicitly stated, readiness language does not mean certification, audit completion, legal compliance, or regulatory approval.

01 / How Data Flows

From capture to approved knowledge

Capture

An expert speaks or types. Voice or text is captured with the expert's knowledge.

AI Draft

The AI provider drafts a summary. Always marked as a draft — never sent to model training.

Human Review

An authorized Owner, Admin, or Reviewer approves or rejects it. No code path auto-approves.

Approved Knowledge

Stored with Row Level Security. Organization A cannot read Organization B's data.

Nova Boardroom Q&A

Answers are grounded only in approved knowledge, with sources cited.

Exports & Evidence

PDF/DOCX exports and the Governance Evidence report carry the same audit trail.

02 / Current Safeguards

Controls live in production today

Human Review RequiredImplemented

All AI-generated outputs remain drafts until reviewed and approved by an authorized human. No auto-approval.

Organization-Scoped Data IsolationImplemented

Row Level Security enforced at the database layer. Organization A cannot read Organization B data.

Role-Based Access ControlImplemented

Owner / Admin / Reviewer / Member roles enforced throughout the product and database layer.

Audit LoggingImplemented

Append-only audit log records who performed each key action, when, and within which organization.

Encrypted at Rest & in TransitImplemented

Postgres AES-256 at rest (Supabase/AWS). TLS 1.2+ enforced for all connections via Vercel HTTPS.

Reference Photos — Private & Never AI-SentImplemented

Photos stored privately per org; served via short-lived signed URLs only. Never sent to any AI model.

Draft-Until-Approved GuardrailImplemented

No code path in DebriefCore permits AI output to become approved knowledge without human action.

Knowledge Lifecycle GovernanceImplemented

Every article carries a governance status. A daily check marks overdue articles stale. Revision history is append-only.

03 / AI Trust Model

How DebriefCore uses AI

  • AI outputs are always drafts — no code path permits auto-approval into organizational knowledge.
  • AI provider API key is server-side only — never sent to the browser, never logged.
  • Reference photos are never sent to any AI model.
  • Nova Boardroom session content is not persisted server-side.
  • AI provider is swappable via the Enterprise AI Control Plane — trust model stays the same regardless of provider.
  • AI interactions are recorded in audit logs including model and intent metadata.

04 / Compliance Readiness

Framework alignment status

FrameworkStatus
NIST CSF 2.0Mapped Baseline
OWASP ASVS Level 1Readiness In Progress
SOC 2 (Security)Not Audited
ISO/IEC 27001:2022Not Certified
Privacy / GDPR / CCPALegal Review Required
FAA SMS-Style Safety LearningNot FAA-Approved

05 / Subprocessors

Key third-party data processors

VendorData LocationDPA
SupabaseUS (AWS us-east-1)Available
OpenAIUSAvailable
VercelUS (Vercel edge)Available
ResendUSAvailable
StripeUS (PCI DSS certified)Available

Full subprocessor list published separately. Customer DPA available on request.

06 / Honest Limits

What DebriefCore does not claim

  • Not SOC 2 audited
  • Not ISO/IEC 27001 certified
  • Not GDPR legally reviewed as compliant
  • Not HIPAA-ready for PHI
  • Not FAA-approved
  • AI does not auto-approve outputs

07 / Contact

Security questions & enterprise inquiries

For security questions, responsible disclosure, enterprise security reviews, or to request a DPA: hello@debriefcore.com

Full security page: debriefcore.com/security

DebriefCore LLC · Security & Trust Packet · Rev 2026.07

This document is for informational purposes only and does not constitute certification, legal compliance, or regulatory approval.