Trueform

Security & trust

posture v1

Trueform was built security-first. These controls are implemented today, not roadmap.

Tenant isolation

  • Every customer is a separate org. All data is row-level-security scoped to the org_id claim in the signed JWT — no cross-tenant read is possible even with a leaked query.
  • SCIM and server writes use a service-role path that scopes by the org resolved from the SCIM bearer token, never a user token.

Identity

  • OIDC single sign-on; SAML available on request.
  • SCIM 2.0 provisioning/deprovisioning. Deactivation is a soft-delete: access is revoked immediately while the audit history is preserved.
  • Role-based access (admin / editor / contributor / viewer); group membership drives role assignment.

Data handling

  • Prompts are scrubbed of 19 categories of secrets and PII (PEM keys, cloud credentials, API tokens, JWTs, SSNs, card numbers, IPs) before they leave the app.
  • Generated Terraform is the only artifact written to your GitHub repo. No customer source is retained by the model provider beyond the request.

Operations

  • Append-only audit log per org, covering every privileged action with cost attribution.
  • Published threat model (8 ranked risks, quarterly review) and incident-response runbooks (10 break-glass procedures).
  • CI security: dependency lockfile, pip-audit, gitleaks, CodeQL, and SHA-pinned GitHub Actions.
  • Per-actor daily spend quotas and sliding-window rate limits on every automated surface.

Full SECURITY, THREAT_MODEL, and INCIDENT_RESPONSE documents are maintained in the repository and available under NDA.