DebriefCore
Customer-facing security summary · Rev 2026.07
Readiness disclaimer: DebriefCore is actively building against recognized security and governance baselines. Unless explicitly stated, readiness language does not mean certification, audit completion, legal compliance, or regulatory approval.
01 / How Data Flows
From capture to approved knowledge
Capture
An expert speaks or types. Voice or text is captured with the expert's knowledge.
AI Draft
The AI provider drafts a summary. Always marked as a draft — never sent to model training.
Human Review
An authorized Owner, Admin, or Reviewer approves or rejects it. No code path auto-approves.
Approved Knowledge
Stored with Row Level Security. Organization A cannot read Organization B's data.
Nova Boardroom Q&A
Answers are grounded only in approved knowledge, with sources cited.
Exports & Evidence
PDF/DOCX exports and the Governance Evidence report carry the same audit trail.
02 / Current Safeguards
Controls live in production today
All AI-generated outputs remain drafts until reviewed and approved by an authorized human. No auto-approval.
Row Level Security enforced at the database layer. Organization A cannot read Organization B data.
Owner / Admin / Reviewer / Member roles enforced throughout the product and database layer.
Append-only audit log records who performed each key action, when, and within which organization.
Postgres AES-256 at rest (Supabase/AWS). TLS 1.2+ enforced for all connections via Vercel HTTPS.
Photos stored privately per org; served via short-lived signed URLs only. Never sent to any AI model.
No code path in DebriefCore permits AI output to become approved knowledge without human action.
Every article carries a governance status. A daily check marks overdue articles stale. Revision history is append-only.
03 / AI Trust Model
How DebriefCore uses AI
- AI outputs are always drafts — no code path permits auto-approval into organizational knowledge.
- AI provider API key is server-side only — never sent to the browser, never logged.
- Reference photos are never sent to any AI model.
- Nova Boardroom session content is not persisted server-side.
- AI provider is swappable via the Enterprise AI Control Plane — trust model stays the same regardless of provider.
- AI interactions are recorded in audit logs including model and intent metadata.
04 / Compliance Readiness
Framework alignment status
| Framework | Status | Note |
|---|---|---|
| NIST CSF 2.0 | Mapped Baseline | Mapped baseline — not NIST certified |
| OWASP ASVS Level 1 | Readiness In Progress | Readiness baseline — not formally audited |
| SOC 2 (Security) | Not Audited | Readiness in progress — not SOC 2 audited |
| ISO/IEC 27001:2022 | Not Certified | Readiness in progress — not certified |
| Privacy / GDPR / CCPA | Legal Review Required | Documentation in progress — legal review required |
| FAA SMS-Style Safety Learning | Not FAA-Approved | Alignment only — not FAA approved |
05 / Subprocessors
Key third-party data processors
| Vendor | Service | Data Location | DPA |
|---|---|---|---|
| Supabase | Database, Auth, Storage | US (AWS us-east-1) | Available |
| OpenAI | AI inference (knowledge assist, Boardroom) | US | Available |
| Vercel | Hosting, CDN, serverless | US (Vercel edge) | Available |
| Resend | Transactional email | US | Available |
| Stripe | Payment processing | US (PCI DSS certified) | Available |
Full subprocessor list published separately. Customer DPA available on request.
06 / Honest Limits
What DebriefCore does not claim
- Not SOC 2 audited
- Not ISO/IEC 27001 certified
- Not GDPR legally reviewed as compliant
- Not HIPAA-ready for PHI
- Not FAA-approved
- AI does not auto-approve outputs
07 / Contact
Security questions & enterprise inquiries
For security questions, responsible disclosure, enterprise security reviews, or to request a DPA: hello@debriefcore.com
Full security page: debriefcore.com/security
DebriefCore LLC · Security & Trust Packet · Rev 2026.07
This document is for informational purposes only and does not constitute certification, legal compliance, or regulatory approval.