Security

Security by default, not as an afterthought.

boxli is built on a per-org row-level-security model from day one. Inbound webhooks are HMAC-signed and idempotent. SOC 2 Type II audit is planned for the second half of 2026 — we'll update this page when we engage an auditor.

SOC 2 Type II · planned 2026HMAC-SHA256 on inbound ingestRLS-isolated per organization

Data isolation

Every table that holds tenant data has a Postgres row-level security policy keyed on organization_id. The policy pattern is uniform across the schema and tested in CI. There is no "admin bypass" in application code — service-role access is limited to billing reconciliation, support escalation (audit logged), and migrations.

Authentication

  • Email + password via Supabase Auth, with bcrypt hashing.
  • OAuth flows for Google and Microsoft on operator accounts.
  • Per-org SSO (SAML / OIDC) on the roadmap for Q3 2026.
  • Session cookies are HttpOnly, Secure, SameSite=Lax. Refresh tokens rotate on session refresh per Supabase Auth defaults.

Webhook security

Inbound engagement events from the brochure vendor and other telemetry sources are signed with HMAC-SHA256 using a per-org ingest_secret (64-hex, rotatable). Verification is timing-safe; replays land on the same row via a partial unique index on external_event_id. See the full architecture in our engineering deep dive.

Encryption

  • In transit: TLS 1.3 on all customer-facing endpoints; HSTS preload planned.
  • At rest: Postgres-managed encryption at the storage layer (Supabase / managed Postgres). Per-column encryption of OAuth tokens and integration secrets is on the pre-SOC-2 hardening roadmap.
  • Backups: daily logical backups via the managed Postgres provider with point-in-time recovery.

Audit logging

Every dispatched trigger lands in trigger_fires with a foreign key to the originating event. Operator account changes are recorded in our application logs; cryptographic tamper-evidence on the audit trail is on the pre-SOC-2 hardening roadmap.

Vendor and infrastructure

  • Hosting: Vercel (US-east) for the Next.js app.
  • Database: Supabase (Postgres) with point-in-time recovery.
  • Payments: Stripe (PCI handled entirely on Stripe's side; we never store card numbers).
  • Email: Resend.
  • Video brochure vendor: contractual data-processing agreement; per-org HMAC secrets.

Compliance roadmap

  • SOC 2 Type II: planned for the second half of 2026. We'll update this section when an auditor is engaged and the Type I observation window opens.
  • GDPR DPA: available on request for EU operators.
  • HIPAA: not in scope. boxli is not designed for or offered to healthcare workflows that handle PHI.

Reporting a vulnerability

We take security reports seriously and respond within one business day. Email security@sendaboxli.com with a description of the issue. We don't run a paid bounty program yet but credit researchers in our acknowledgments.