Elenor AI Platform Security Overview

Effective date: 17 November 2025

This document describes how authentication, authorization, and data protection are implemented across the Elenor AI Platform.

1. Authentication

  • All platform products use Supabase Auth for user authentication.
  • Passwords are hashed using bcrypt and never stored in plain text.
  • JWT tokens issued with 60-minute expiration; automatic refresh mechanism.
  • Multi-factor authentication (MFA) support available through email OTP.
  • Password reset via secure one-time passwords sent to verified email.

2. Authorization

  • Role-based access control (RBAC) implemented via user profiles.
  • Default role: user; elevated roles granted administratively.
  • API requests require valid JWT token in Authorization header.
  • Backend validates tokens using Supabase service role key.
  • Invalid or expired tokens return 401 Unauthorized.

3. Data Protection

  • Encryption in transit: All communications use HTTPS/TLS.
  • Encryption at rest: Database and file storage encrypted by Supabase.
  • Row Level Security (RLS): Database policies enforce user data isolation.
  • Access control: Users can only access their own data via auth.uid() policies.
  • API keys: All service credentials stored server-side only, never exposed to clients.

4. Database Security

  • Row Level Security policies active on all critical tables.
  • Users can only read/write/delete their own records.
  • Database queries validate user ownership before execution.
  • Automated triggers maintain data integrity (timestamps, cascading deletes).
  • Regular backups maintained by Supabase.

5. File Storage Security

  • Files stored in Supabase Storage with owner-based access control.
  • Upload operations automatically tag files with owner = auth.uid().
  • Only file owners can delete their files.
  • Storage policies prevent unauthorized access to other users' files.
  • Files deleted automatically when parent records are removed.

6. API Security

  • All API endpoints verify JWT tokens before processing requests.
  • Rate limiting applied to prevent abuse.
  • Input validation and sanitization on all user-provided data.
  • Third-party API keys (Google, Anthropic, OpenAI) stored as environment variables.
  • API responses do not leak internal system information.

7. Third-Party Security

  • Supabase: SOC 2 Type II certified; EU data hosting.
  • Google Cloud: ISO 27001, SOC 2/3 certified infrastructure.
  • Anthropic & OpenAI: Enterprise-grade API security with HTTPS.
  • Stripe: PCI DSS Level 1 compliant payment processing.
  • All third parties operate under Data Processing Agreements (DPAs).

8. Account Security

  • Account deletion removes all user data permanently.
  • Deletion requires explicit confirmation to prevent accidents.
  • Session management allows users to revoke access from specific devices.
  • Suspicious activity monitoring and automatic lockout mechanisms.

9. Incident Response

  • Security incidents logged with minimal personal data.
  • Automated monitoring for anomalies and suspicious patterns.
  • Compromised credentials can be immediately revoked.
  • Users notified of security incidents affecting their data.
  • Post-incident reviews and security updates.

10. Security Best Practices

  • Regular dependency updates and vulnerability scanning.
  • Code reviews for security-sensitive changes.
  • Principle of least privilege for all system access.
  • Security headers configured (CSP, HSTS, etc.).
  • Ongoing security training for development team.

11. User Recommendations

  • Use a strong, unique password for your account.
  • Enable multi-factor authentication where available.
  • Keep your email account secure (it's used for password reset).
  • Report suspicious activity immediately to security@elenor.io.
  • Regularly review active sessions and revoke unknown devices.

12. Product-Specific Security

Individual products may have additional security measures. See product-specific documentation:

This document reflects the security architecture of the Elenor AI Platform. Security is continuously reviewed and improved.