Precisia – Security Documentation 

 

1. Introduction 

 

1.1 Purpose of Document 

  This document serves as Precisia’s comprehensive security package. It is intended for prospective customers, partners, and due diligence teams conducting vendor assessments. The document outlines the principles, controls, and practices in place at Precisia to ensure the confidentiality, integrity, and availability of client data. It also demonstrates Precisia’s alignment with industry standards such as ISO 27001, SOC 2 Trust Principles, and the OWASP framework.    Our goal is to provide transparency and reassurance that Precisia maintains strong security practices, appropriate for our size and stage, and designed to scale with our growth and our clients’ requirements.   

1.2 Company Overview 

  Precisia is a software-as-a-service (SaaS) platform designed for structured data extraction. It transforms unstructured documents into structured formats, enabling professionals in finance, consulting, and legal services to derive actionable insights quickly and reliably.    The platform is entirely cloud-native, hosted in the European Union, and built on a secure, serverless architecture leveraging AWS Lambda, Supabase, Vercel, and supporting services. Given the sensitive nature of client information handled by Precisia, security and compliance form the foundation of our technical and organizational design.   

1.3 Scope of Security Program 

  This package covers:   

• Information security governance and organizational roles  
• Information Security Policy framework  
• Personnel security measures  
• Physical and environmental security  
• Infrastructure and network architecture  
• Access control, authentication, and encryption  
• Monitoring, logging, and incident response  
• Vulnerability management  
• Business continuity and disaster recovery  
• Development lifecycle and change management  
• Risk management practices  
• Vendor and third-party controls  
• Data retention and disposal policies  
• Compliance with GDPR and alignment to SOC 2   

2. Governance & Security Organization 

 

2.1 Roles & Responsibilities 

 

• Chief Technology Officer (CTO): The CTO holds exclusive administrator privileges over production infrastructure and client data. He is responsible for overall information security, including policy enforcement, incident response, and infrastructure resilience.  
• Technical Team: While developers do not have direct production access, they are trained in secure coding and operational security practices. They are capable of supporting incident response activities when delegated, ensuring continuity even in the rare event that the CTO is unavailable.  
• Cofounders: The cofounders provide oversight, ensuring that security is integrated into the broader business strategy and resourced appropriately.   

2.2 Management Commitment 

  Security is embedded into Precisia’s organizational DNA. The leadership team views data protection as a critical trust enabler with clients. Management commitment is demonstrated through:   

• Direct involvement of the CTO in day-to-day security monitoring and decision-making.  
• Regular reviews of security risks and incidents by the founding team.  
• Allocation of time and resources for code reviews, dependency monitoring, and infrastructure hardening.  
• Transparency with clients regarding security controls and limitations.   

2.3 Accountability 

  Security responsibilities are documented and communicated to all team members. Precisia maintains a principle of clear ownership: all privileged activities are attributed to specific individuals, and administrator actions are logged. Policies and practices are reviewed annually, or after significant incidents, to ensure accountability and continuous improvement.   

3. Information Security Policy 

 

3.1 Core Principles 

  Precisia’s Information Security Policy is based on the following principles:   

• Confidentiality: All client data is classified as confidential by default and handled accordingly.  
• Integrity: Safeguards are in place to prevent unauthorized modification or corruption of data.  
• Availability: Infrastructure is designed with high resilience, using cloud-native, serverless components.  
• Privacy: All data handling complies with GDPR requirements, including data minimization and client rights.   

3.2 Alignment with Industry Standards 

 

• Inspired by ISO 27001 for security governance and risk management.  
• Aligned with SOC 2 Trust Principles (security, availability, confidentiality, integrity, privacy).  
• Incorporates OWASP Top 10 guidance for secure coding practices.   

3.3 Policy Lifecycle 

 

• Policies are reviewed at least annually.  
• Reviews are also triggered by incidents, regulatory updates, or significant architectural changes.  
• Improvements and action items are tracked within Precisia’s project management system (Notion).  
• Policy updates are communicated directly to all staff, ensuring awareness and compliance.   

3.4 Continuous Improvement 

  Precisia acknowledges that as a growing startup, security policies must evolve with scale. Continuous improvement is pursued by:   

• Reviewing client feedback during security assessments.  
• Learning from incidents and near-misses.  
• Monitoring updates from vendors and cloud providers.  
• Tracking industry best practices and integrating them into processes.   

4. Personnel Security 

 

4.1 Hiring and Background Verification 

  Precisia maintains a selective hiring process for all technical and operational roles. Candidate vetting includes:   

• Verification of prior work experience and references.  
• Validation of academic qualifications.  
• Review of professional reputation and references within the industry. While formal background checks (e.g., police or credit checks) are not currently part of the process due to company stage, employment offers are contingent on validated references and skills.   

4.2 Onboarding and Training 

  All new employees undergo onboarding led by the CTO. This includes:   

• MFA setup across all systems.  
• Secure coding practices aligned with OWASP guidance.  
• Data handling requirements, including GDPR compliance.  
• A review of Precisia’s information security policies. This ensures all employees are equipped to handle client data responsibly from day one.   

4.3 Ongoing Awareness 

 

• Bi-weekly team sessions review best practices and lessons learned.  
• Pair programming and peer code review embed secure practices.  
• Informal sessions allow discussion of new vulnerabilities or provider advisories.   

4.4 Offboarding 

  When an employee leaves:   

• Access to GitHub repositories, project management tools, and documentation is revoked immediately.  
• MFA tokens are invalidated.  
• Employees never hold production access, minimizing risk.   

5. Physical & Environmental Security 

 

5.1 Cloud Provider Facilities 

  Precisia relies exclusively on managed, certified cloud providers:   

• AWS Lambda (Paris region): Provides compute functions with SOC 2, ISO 27001, and GDPR compliance.  
• Supabase (Frankfurt region): PostgreSQL and storage in the EU, with built-in AES-256 encryption.  
• Vercel (EU region): Serverless hosting and CDN with robust security controls. These providers offer physical protections including surveillance, guards, fire suppression, redundant power, and access control.   

5.2 Office Environment 

  Although Precisia does not manage its own data centers, employee devices and offices follow strict controls:   

• Company laptops use full-disk encryption.  
• MFA is enforced for all services.  
• VPN and secure Wi-Fi are required when working remotely.  
• No sensitive client data is stored locally.   

5.3 Environmental Risks 

 

• There are no on-premises servers.  
• All resilience, redundancy, and disaster prevention (fire, power, flood) are managed by cloud vendors.   

6. Security Architecture 

 

6.1 Overview 

  Precisia’s architecture is serverless and cloud-native, reducing the attack surface and eliminating many traditional risks. Key components include:   

• Frontend Delivery: Vercel, for static hosting and serverless API endpoints.  
• Application Logic: AWS Lambda, containerized functions handling processing.  
• Database & Authentication: Supabase PostgreSQL with Row-Level Security (RLS) and managed authentication.  
• Message Queues: AWS SQS, providing decoupled and resilient task processing for AI and ETL workflows.  
• CI/CD: GitHub Actions, managing builds, tests, and deployments.  
• Monitoring & Logging: Sentry, AWS CloudWatch, Supabase logs, and GitHub audit logs.   

6.2 Hosting Regions 

 

• AWS Paris (eu-west-3)  
• Supabase EU (Frankfurt)  
• Vercel EU region    All client data is stored and processed exclusively in the EU to ensure GDPR compliance. Regions can also be configured specifically for a client account if required, allowing flexibility to meet contractual or regulatory obligations.   

6.3 Security Features 

 

• TLS 1.2+ enforced for all connections.  
• Supabase RLS policies prevent unauthorized access across tenants.  
• IAM roles and policies on AWS enforce least-privilege access.  
• Provider firewalls block unnecessary ports and services.   

6.4 Diagrams 

 

Network architecture 

   

Software architecture 

   

7. Access Control 

 

7.1 Principles 

  Precisia enforces the principle of least privilege across all environments. Every account, system, and integration is granted only the minimum permissions required to perform its role. No shared credentials are used, and all access is individual and auditable.   

7.2 Administrator Access 

 

• Production access is strictly limited to the CTO.  
• Administrative sessions require MFA and strong, unique credentials.  
• All administrative actions are logged and can be audited for traceability.   

7.3 Role-Based Access Control 

 

• Supabase: Row-Level Security (RLS) ensures strict separation of client data. RBAC policies limit what developers and services can access.  
• Vercel: Project-level RBAC restricts who can deploy or configure production resources.  
• GitHub: Teams and roles restrict repository write and administrative access.   

7.4 Authentication 

 

• All internal tools are secured through Google Workspace SSO, with MFA mandatory.  
• End-users authenticate through Supabase Auth, with email verification required on registration. MFA is available and can be made required for an organization. Multiple authentication providers are also supported : Google, Microsoft and others can be added on demand. SAML SSO is also available and can be set up with an organization authentication provider.  
• Sessions are automatically expired and can be revoked on demand.   

7.5 Access Reviews 

 

• Access rights are reviewed quarterly by the CTO.  
• Reviews include Supabase, Vercel, AWS, and GitHub permissions.  
• Revoked accounts are logged, and the process is documented in Precisia’s project management system.   

7.6 Onboarding & Offboarding 

 

• Onboarding includes immediate provisioning of SSO accounts, MFA setup, and role assignment.  
• Offboarding includes same-day revocation of access to all systems and repositories.   

8. Encryption & Key Management 

 

8.1 Data in Transit 

 

• All communication uses TLS 1.2+ with strong cipher suites.  
• HSTS is enabled at the application layer to enforce secure connections.   

8.2 Data at Rest 

 

• Supabase: AES-256 encryption for PostgreSQL and object storage.  
• AWS Lambda & SQS: Data encrypted using AWS-managed KMS keys.  
• Vercel: Built-in storage encryption for any cached or deployed assets.   

8.3 Secrets Management 

 

• Supabase Vault stores sensitive API keys.  
• Vercel Environment Variables used for frontend/backend secrets.  
• GitHub Secrets store build-time credentials for CI/CD pipelines.   

8.4 Key Lifecycle 

 

• Encryption keys are rotated automatically by cloud providers.  
• Secrets are rotated manually when staff changes occur or on suspected compromise.   

9. Monitoring & Logging 

 

9.1 Monitoring Tools 

 

• Sentry: Centralized error and anomaly monitoring across frontend and backend.  
• AWS CloudWatch: Infrastructure-level logs and alarms for AWS Lambda and SQS.  
• Supabase Logs: Database and storage usage monitoring, integrated into Sentry.  
• GitHub Audit Logs: Tracks repository access, administrative changes, and dependency security events.   

9.2 Log Centralization 

  Logs from multiple sources are centralized into Sentry, which aggregates and categorizes them by severity. This enables correlation across the stack and provides a single source for triage.   

9.3 Alerting 

 

• CTO receives immediate notifications of critical incidents via email and mobile alerts.  
• The technical team can also view logs and act on anomalies, ensuring redundancy in incident response.   

9.4 Retention & Compliance 

 

• Logs are retained according to GDPR requirements.  
• Access to logs is restricted to the CTO.  
• Logs are tamper-resistant due to provider-managed integrity controls.   

10. Incident Response 

 

10.1 Detection 

  Incidents are detected through automated monitoring and alerting systems:   

• Sentry: Captures real-time application errors and anomalies.  
• AWS CloudWatch: Provides infrastructure-level logs and alarms for Lambda functions.  
• Supabase: Generates alerts for database anomalies.  
• GitHub: Issues dependency alerts and security vulnerability notifications.    These systems ensure comprehensive coverage across the stack and enable early identification of potential threats.   

10.2 Escalation 

 

• The CTO is the primary incident responder, receiving immediate notifications of critical events.  
• The technical team is trained to act as secondary responders, ensuring that remediation actions can begin even if the CTO is unavailable.  
• All incidents are logged and tracked in Precisia’s project management system (Notion) for accountability and resolution tracking.   

10.3 Containment 

 

• Rapid revocation of affected API keys or credentials.  
• Session invalidation for compromised user accounts.  
• Isolation of impacted systems through redeployment or configuration changes.   

10.4 Communication 

 

• Clients impacted by an incident are notified directly via email or telephone.  
• If GDPR-reportable, incidents are disclosed to regulators and affected clients within mandated timelines.  
• No public status page currently exists, but Precisia commits to transparency with directly affected stakeholders.   

10.5 Recovery 

 

• Restoration of services is performed using automated CI/CD pipelines.  
• Data recovery is achieved through Supabase daily backups, tested quarterly.  
• Recovery objectives are set at RTO <24h and RPO <24h.   

10.6 Post-Incident Review 

 

• Following resolution, a review is conducted to identify root causes and prevent recurrence.  
• Lessons learned are documented, and new safeguards are implemented.    ---   

11. Vulnerability Management 

 

11.1 Detection 

 

• Dependabot: Provides continuous scanning of dependencies in GitHub repositories.  
• GitHub Security Alerts: Notifies the team of known issues in libraries.  
• Cloud provider advisories: AWS, Supabase, and Vercel bulletins are reviewed for relevant updates.   

11.2 Prevention 

 

• Code reviews always include a security focus, guided by an informal checklist.  
• Only well-maintained and trusted third-party libraries are introduced into the stack.  
• Row-Level Security (RLS) in Supabase enforces strong tenant isolation.   

11.3 Correction 

 

• Critical vulnerabilities are patched within 24 hours of discovery.  
• Non-critical issues are addressed during regular development cycles.  
• Fixes are tracked in GitHub pull requests and in Precisia’s project management system.   

11.4 Review Process 

 

• Formal internal security reviews are performed quarterly.  
• Dependencies and configurations are reassessed to detect emerging risks.   

11.5 Current Scope & Roadmap 

 

• No static analysis tools (e.g., Snyk, CodeQL) are currently implemented, but their integration is planned.  
• No external penetration testing has been performed yet; commissioning of third-party penetration tests is planned within 12–18 months.   

12. Business Continuity & Disaster Recovery 

 

12.1 Backups 

 

• Automated daily backups are performed by Supabase.  
• All backups are encrypted and replicated across regions.  
• Retention: minimum 7 days, extendable upon client request.   

12.2 Testing 

 

• Manual restoration tests are performed quarterly.  
• Tests validate integrity and confirm that services can be restored quickly if required.   

12.3 Resilience 

 

• The serverless architecture (AWS Lambda, Vercel, Supabase) minimizes single points of failure.  
• AWS SQS provides asynchronous message handling, ensuring workloads can absorb spikes without service interruption.  
• No physical servers are used, reducing dependency on local infrastructure.   

12.4 Recovery Objectives 

 

• RTO: Less than 24 hours for degraded functionality.  
• RPO: Less than 24 hours of potential data loss.  
• Full recovery: Within one week for a complete restoration of services.   

12.5 Responsibility 

 

• The CTO oversees continuity and recovery.  
• The technical team is trained to follow documented recovery steps, ensuring resiliency even in the CTO’s absence.     

13. Development Lifecycle & Change Management 

 

13.1 Secure Development Practices 

 

• Row-Level Security (RLS): All Supabase RLS policies are validated during development to guarantee strict tenant isolation. Test cases are written to simulate cross-tenant access attempts, ensuring policies cannot be bypassed.  
• API Authorization: Every API endpoint includes explicit authorization checks. Even if a request comes from an authenticated user, role and ownership checks are performed before granting access.  
• Secrets & Credentials: Reviews ensure that no secrets (API keys, tokens) are committed to source control or exposed in logs. Secrets are always stored and managed in provider vaults (Supabase Vault, GitHub Secrets, Vercel Env Vars).  
• Dependency Management: Only mature, well-maintained npm libraries are introduced. Dependencies are continuously monitored by Dependabot, with security alerts prioritized and patched within 24h if critical.  
• Serverless Permissions: AWS Lambda and SQS IAM roles are configured with least privilege. Functions are audited to ensure they cannot access resources outside their intended scope.  
• Data Residency Compliance: Deployment workflows enforce EU-only region selection. Infrastructure-as-code scripts validate target regions to avoid accidental deployment outside the EU.  
• Session & Token Handling: Supabase Auth sessions have enforced expirations. Tokens can be revoked instantly, and session handling in the frontend is reviewed for proper invalidation.   

13.2 CI/CD Pipeline 

 

• Precisia uses GitHub Actions for its CI/CD workflows.  
• Each pull request triggers:  
  • Automated build and linting.  
  • Unit and integration tests.  
  • Dependency vulnerability scanning (Dependabot).  
• CI/CD pipelines enforce approval rules: merges to the staging or production branches require peer review.  
• Secrets used in the pipeline are injected securely from GitHub Secrets, never stored in plaintext.  
• Deployment pipelines are reproducible and fully auditable, ensuring the same process is applied consistently.   

13.3 Staging & Deployment 

 

• All new code is deployed to a staging environment that mirrors production as closely as possible. This environment uses separate credentials, databases, and queues to avoid cross-contamination.  
• Features remain in staging for at least 1–2 weeks of validation before promotion to production, except when addressing urgent hotfixes.  
• Production deployments are restricted to the CTO, providing strict release control.  
• Rollback mechanisms exist to revert to the last stable version within minutes, reducing downtime if regressions occur.   

13.4 Change Documentation 

 

• All code changes are documented in GitHub pull requests, which include testing notes and security considerations.  
• Changes are linked to Precisia’s project management system (Notion) for traceability.  
• Significant infrastructure or configuration changes are logged, reviewed, and stored as part of an internal audit trail.  
• This approach ensures a complete history of changes that can be reviewed during internal audits or external assessments.   

14. Risk Management 

 

14.1 Identification 

  Precisia identifies risks through multiple channels:   

• Continuous Monitoring: Logs and error alerts provide real-time insights into operational and security risks.  
• Dependency & Vendor Advisories: Security bulletins from GitHub, AWS, Supabase, and Vercel are reviewed regularly.  
• Incident Reviews: Every incident or near miss triggers a reflection to identify previously overlooked risks.  
• Client Feedback: Security questionnaires and audits from clients highlight potential gaps.   

14.2 Risk Register 

 

• Risks are catalogued in a risk register maintained in Precisia’s Notion workspace.  
• Each risk is assigned a severity (high/medium/low), likelihood (frequent/occasional/rare), mitigation plan, and responsible owner.  
• Examples include:  
  • Misconfigured RLS policies in Supabase leading to tenant data exposure.  
  • AWS Lambda or SQS roles with excessive permissions.  
  • Potential data residency violations if regions are misconfigured.  
  • Supply-chain attacks via npm packages.   

14.3 Assessment & Review 

 

• Risks are reassessed quarterly by the CTO and technical team.  
• Reviews consider the effectiveness of mitigations and whether risk ratings should be adjusted.  
• New risks are logged immediately when discovered.   

14.4 Mitigation 

 

• High-severity vulnerabilities are patched within 24h.  
• IAM permissions and RLS policies are reviewed during code reviews to avoid misconfigurations.  
• Backups and restoration tests mitigate risks of data loss.  
• Vendor certifications (SOC 2, ISO 27001. reduce third-party risk.    ---   

15. Vendor & Third-Party Management 

 

15.1 Approved Vendors 

  Precisia relies only on a small number of trusted third-party providers:   

• AWS (Lambda, SQS): Compute and queues.  
• Supabase: Database, authentication, and storage.  
• Vercel: Frontend delivery and serverless APIs.  
• GitHub: Code hosting, CI/CD workflows, and dependency scanning.  
• Sentry: Error monitoring and alerting.   

15.2 Vendor Security & Compliance 

 

• All vendors are GDPR-compliant.  
• Core vendors hold SOC 2 and ISO 27001 certifications.  
• Vendor compliance status is reviewed quarterly.   

15.3 Subcontractors 

 

• Precisia does not use subcontractors with access to production data.  
• If subcontractors were to be engaged in the future, contracts would mandate GDPR compliance, confidentiality obligations, and least-privilege access.   

15.4 Vendor Review Cycle 

 

• Quarterly reviews are conducted to validate vendor reliability and continued compliance.  
• Vendor performance is monitored through uptime SLAs and incident responsiveness.    ---   

16. Data Retention & Disposal 

 

16.1 Retention 

 

• Production data is retained only as long as required for client operations.  
• Supabase backups are kept for 7 days by default, extendable upon client request.   

16.2 Location 

 

• All data is stored in the EU regions (AWS Paris, Supabase Frankfurt, Vercel EU).  
• Regions can be configured specifically for client accounts if required, ensuring contractual or regulatory alignment.   

16.3 Secure Deletion 

 

• Data deletion requests are processed immediately upon client instruction.  
• Deletion is performed using cloud provider APIs to ensure complete removal.  
• No data is ever copied to removable media.   

17. Compliance 

 

17.1 GDPR 

 

• Precisia complies with all GDPR obligations, including:  
  • Data Minimization: Only data necessary for extraction workflows is stored.  
  • Right of Access & Deletion: Clients may request data exports or deletion at any time.  
  • Data Processing Agreements: In place with all vendors (AWS, Supabase, Vercel, GitHub, Sentry).  
  • Data Residency: All hosting is restricted to EU regions by default.   

17.2 SOC 2 Alignment 

 

• Precisia has designed controls aligned to SOC 2 Trust Principles (security, availability, confidentiality, processing integrity, privacy).  
• Formal certification is planned within 12–18 months.   

17.3 Other Frameworks 

 

• HIPAA, CCPA, and other frameworks are currently out of scope.  
• Expansion to additional compliance frameworks will be considered as client demand grows.   

18. Roadmap & Continuous Improvement 

 

• Formalization: Expand documentation of security policies, including incident response (IR), business continuity (BCP), and vulnerability management.  
• Penetration Testing: Engage an external security firm for annual penetration tests within the next 12–18 months.  
• Certification: Achieve SOC 2 Type II certification in the same timeframe.  
• Training: Extend employee training programs with regular refreshers and awareness sessions.  
• Monitoring: Explore additional tooling for real-time alert escalation (e.g., PagerDuty or Opsgenie) as the team scales.   

20. Summary 

  Precisia applies robust, industry-standard security controls across its platform. While still at the startup stage, policies, practices, and infrastructure are aligned with enterprise expectations and SOC 2 principles. Daily encrypted backups, MFA-enforced privileged access, RLS tenant isolation, and serverless resiliency form the foundation of the platform’s security posture.    Future plans include third-party penetration testing, SOC 2 certification, and expanded employee training. Precisia is committed to continuous improvement, transparency with clients, and building trust through strong security practices.