← Trust Center

Security Overview

Architectural and operational security posture for Eubulia.

Tenancy & isolation

Eubulia uses Supabase PostgreSQL with Row-Level Security (RLS) on 15 core tables and per-organization isolation across 35 tables. Each customer is a separate organization with strict data isolation enforced at the database layer (not just application layer).

Authentication

Supabase Auth with JWT validation, Google + Microsoft SSO, and lazy user sync. Email allowlist enforced at hook level. Super-admin actions require X-Admin-Token (separate credential not granted to customers).

Encryption

TLS 1.3 in transit (HTTPS-only). At-rest encryption via Supabase (AES-256). Application-level encryption for sensitive fields on roadmap.

Audit trail

Bitemporal data model means every change to risks, decisions, documents, and semantic chunks is preserved as an immutable version with system-time and source-time timestamps. Full audit trail by design, not by configuration.

LLM routing audit

Every LLM call is logged with task type, model selected, rationale, latency, and cost. Compliance-bound clients can verify their data was routed to EU-only models with full audit trail.

Document storage

Customer source documents never leave the customers cloud (OneDrive, Google Drive, NextCloud, local). Eubulia indexes metadata in Qdrant; the source files are read in-place via OAuth-scoped access.

Data deletion

GDPR Article 17 right to erasure implemented as one-button per-client hard-delete. Cascading deletion across structured graph + vector indexes, with audit log of the deletion event preserved bitemporally.

Sovereign deployment (roadmap)

For compliance-bound clients (defense, government, regulated healthcare), Eubulia can be deployed to your own Azure EU tenant. ETA H2 2026. Contact us if you need this now.

Security questionnaire?

Email hello@eubulia.eu. We respond within 2 business days with completed CAIQ Lite or your firms questionnaire format.