Security & Trust
This page lists the security controls currently enabled in the CTI Zero production environment. It is maintained by Agentic Labs LLC and is intended to help security and procurement reviewers understand our posture. It is a factual description of enabled controls, not an independent certification. For attested artefacts (SOC 2, ISO 27001, pen-test letters), contact security@ctizero.com.
Enabled controls
Every application table has Row-Level Security enabled. Policies scope reads and writes to the authenticated user or their team. The Data API rejects requests that cannot satisfy a policy, even with a valid token.
Roles are stored in a dedicated user_roles table — never on profiles — and resolved through a SECURITY DEFINER has_role() function. This blocks privilege-escalation paths where an attacker self-grants admin via a profile update.
API tokens are shown to the user exactly once at creation. Only a SHA-256 hash and a short non-secret prefix are stored. Revocation is timestamp-based and enforced on every request, alongside a per-token rolling rate limit.
Team invitations are issued as opaque tokens stored only as hashes. The invitee presents the plaintext token, which is hashed and compared in constant time. Tokens have an expiry and are single-use.
Outbound webhooks are signed with HMAC-SHA256 using a per-webhook secret. We include a timestamp header and signature header so receivers can verify authenticity and reject replays. Secrets are never returned by the API after creation.
Sensitive columns (token hashes, webhook secrets, integration credentials) are excluded from PostgREST projections used by the client. Server functions read them only inside authenticated, scoped handlers.
Mutations and privileged reads run through TanStack server functions guarded by requireSupabaseAuth middleware. The user's bearer token is attached server-side and RLS applies as that user. Service-role access is used only after the caller's role is verified.
API requests are logged with token id, path, status and timestamp for at least the rate-limit window. Auth events (sign-in, sign-out, password change) are recorded by the managed auth provider and available for review.
TLS 1.2+ for all external traffic. Encryption at rest for the managed Postgres database, object storage and backups using provider-managed keys (AES-256).
Endpoints under /api/public/* are the only routes that bypass session auth. Each one validates input with Zod, requires a Bearer token (or HMAC signature for webhooks), and is rate-limited per token. No PII is returned from public endpoints.
Related documents
- Privacy Policy — what data we process and how.
- Data Processing Addendum — GDPR Article 28 commitments.
- Subprocessors — third parties that process customer data.
- Backups & Disaster Recovery — RPO/RTO targets and restore testing.
- Acceptable Use Policy — what the platform may not be used for.
Shared responsibility
Agentic Labs LLC is responsible for the security of the platform: the controls described above, the underlying infrastructure, and the configuration of managed services. Customers are responsible for protecting their account credentials and API tokens, rotating them on personnel changes, configuring team roles appropriately, and ensuring their use of the platform complies with the Acceptable Use Policy.
Reporting a vulnerability
We welcome coordinated disclosure. Email security@ctizero.com with reproduction steps. Please allow reasonable time to remediate before public disclosure. We do not currently operate a paid bug bounty programme but will acknowledge valid reports.
Changes
Material changes to the controls described above will be reflected on this page. Customers on paid plans can subscribe to security update notifications by emailing security@ctizero.com with the subject "Security update notifications".