Purogaly is the runtime enforcement and evidence pipeline for AI agents. This page describes how we secure customer data, the compliance frameworks we map to, our sub-processors, and how to reach our security team.
Purogaly is built on Supabase (Postgres) and deployed on Vercel. All customer data is isolated per tenant, encrypted in transit and at rest, and access is audited at the database level.
TLS 1.3 enforced on all public endpoints. HSTS preload-eligible.
AES-256 on the underlying Supabase Postgres storage layer.
Row-level security enforced on every public-schema table. No tenant can read another tenant's data through any API path.
SAML 2.0 SSO via WorkOS for enterprise tenants. Email + password with bcrypt for self-serve. Per-org enforcement.
Role-based access control with owner / admin / member / viewer roles. Permission boundaries enforced at the database, not just the application layer.
Customer API keys stored as SHA-256 hashes. Plaintext is shown once at creation and never retrievable thereafter.
Every governance event SHA-256 hash-chained to the previous event. Append-only at the database trigger level. Two layers of enforcement (grant + trigger).
Open-source CLI verifier lets auditors cryptographically validate evidence bundles offline, without trusting Purogaly's database.
Outbound events to customer SIEMs signed with HMAC-SHA256, per-destination secrets, rotatable on demand.
Sliding-window per-API-key rate limits on every public endpoint. Configurable per tenant.
Purogaly maps governance events to specific controls across four frameworks. Status below is current as of April 27, 2026. We don't claim certifications we haven't earned.
| Framework | Coverage | Status | Notes |
|---|---|---|---|
| NIST AI RMF 1.0 | 72 of 72 subcategories | Mapped | Verbatim from official NIST source. Every governed action can be tied to specific GOVERN/MAP/MEASURE/MANAGE subcategories. |
| EU AI Act | 28 article-level controls | Mapped | Covers Chapters III, IV, V, IX. Article 14 (human oversight) is the architectural primitive of the product. |
| SOC 2 (AICPA TSC 2017) | 33 Common Criteria + Availability + Confidentiality | Type II in progress | Controls implemented and documented. Audit engagement target: Q4 2026. |
| ISO 27001:2022 | 79 controls — Annex A.5, A.6, A.8 | Implementing | Annex A.7 (Physical) deferred — infrastructure provider responsibility for cloud-only SaaS. |
| GDPR / UK GDPR | DPA available on request | Compliant | Data Processing Agreement available under NDA. EU customer data resident in EU regions on request. |
Purogaly relies on the following sub-processors to provide the service. We notify customers in advance of any material changes to this list.
| Sub-processor | Purpose | Data handled | Region |
|---|---|---|---|
| Supabase | Database, authentication, storage | All customer data | US (default), EU available |
| Vercel | Application hosting and edge delivery | Request metadata, no persistent customer data | Global edge |
| WorkOS | SAML SSO and Directory Sync | User identity profiles for SSO-enabled tenants | US |
| Resend | Transactional email (approval notifications, invitations) | User email addresses, notification content | US, EU |
Purogaly is in active production. We're honest about what's in place today and what's on the roadmap.
| Capability | Status | Detail |
|---|---|---|
| Automated backups | In place | Daily Postgres backups via Supabase. Point-in-time recovery on Pro tier. |
| Audit log retention | In place | Minimum two years per tenant. Configurable for enterprise tier. |
| Incident response | In place | Documented runbook. 24-hour notification commitment for confirmed security incidents affecting customer data. |
| Public status page | Roadmap | Live status page launches alongside SOC 2 Type II. |
| Published SLA | Roadmap | 99.9% target for platform tier — to be published once SOC 2 Type II is complete. |
| Third-party penetration test | Roadmap | Engagement scheduled to coincide with SOC 2 Type II audit window. |
For security disclosures, compliance questions, or DPA requests, use the appropriate channel below. Responsible disclosure is welcomed and acknowledged within one business day.