Our approach
Interline runs on four ideas, and the rest of this page is just consequences of them: every record carries a data classification, every meaningful action is written to an append-only audit trail, every row is scoped to exactly one tenant at the database boundary, and every operator sees the minimum information required to do their job. Security here is a structural property of the codebase, not a quarterly project that happens before an audit.
Data we handle
Every column, document, and event flowing through Interline is tagged with one of five classifications. The tag determines who reads it, where it can travel, and how long it is retained.
| Class | Examples | Access posture |
|---|---|---|
| Public | Marketing pages, this trust center, product changelog. | Read by anyone. Served from the same Next.js origin without authentication. |
| Internal | Application telemetry, request IDs, build metadata, error stack traces with PII scrubbed. | Available to Interline engineers under access logging. Never returned to other tenants. |
| Confidential | Tenant configuration, brand kit, compliance settings, billing posture, fund catalogue. | Scoped to the owning tenant. Read by users with the matching role inside that tenant. |
| Restricted (PII) | Insured names, owner names, policy numbers, illustration ledgers, review documents, audit log entries. | Tenant-isolated at the database row. Returned only to authenticated users in that tenant. Redacted before any third-party model call. |
| Highly restricted (PHI) | Underwriting health questionnaires, exam reports, mortality data tied to a named individual. | Permitted only when a Business Associate Agreement is signed. Field-level encryption is wired but inert until the BAA executes. |
Encryption
At rest. All Customer Data lives in PostgreSQL with native page-level encryption via the underlying managed disk. When we host, we standardize on AES-256 for the storage volume and a separate key per environment.
In transit. Every connection - browser to Next.js, Next.js to FastAPI, FastAPI to Postgres, FastAPI to AI inference - is TLS 1.2 or higher. HTTP requests on the public origin are redirected; HSTS is enforced.
Field-level for PHI. The schema reserves dedicated columns for highly-restricted fields and the ORM layer routes them through a field-level encryption wrapper. The wrapper is wired but inert until a Business Associate Agreement is signed; at that point the keys are provisioned per-tenant and the columns turn opaque to anyone without the decryption envelope. Wiring arrives with HIPAA BAA signing.
Audit trail
Every meaningful action - a review document drafted, an illustration uploaded, a policy assignment changed, a user invited - is written to an append-only audit log. Each entry carries the actor, the tenant, the affected record, and a SHA-256 hash that incorporates the previous entry's hash, forming a chain you can replay end-to-end. When a review is signed and issued, the system snapshots the rendered PDF and pins its content hash to the chain so that any later attempt to alter the artifact is detectable from the audit log alone. The result is a chain-of-custody record that survives regulatory inquiry and operator turnover.
Tenant isolation
Every row in every business table carries a non-nullable tenant_id. The ORM session is opened with a tenant filter before any query runs and the filter cannot be turned off from inside a request handler - there is no admin override that crosses the tenant boundary. A test suite asserts the property by attempting cross-tenant reads from inside one tenant's session and verifying that every endpoint either returns 404 or an empty collection for records belonging to another tenant. The suite runs on every commit; a failure blocks the merge.
Retention & export
We retain Customer Data for the life of the subscription. On termination we hold the data for a thirty-day grace window so the tenant can pull a final export, then we delete it from production within ninety days. Backups age out within twelve months. Audit logs retain for the duration set in the tenant's compliance settings, with a default of twelve months on Team and up to seven years on Enterprise.
A full CSV export of clients, policies, reviews, and audit entries is available from the workspace UI and over the REST API at any time. The export includes the hashes from the audit chain so the artifact can be independently verified after extraction.
Subprocessors
Interline relies on a small set of subprocessors to operate. Each is bound by a written data-processing agreement and receives only the data needed for the stated purpose. The full list, what each receives, and how to subscribe to change notifications lives at /legal/subprocessors.
Today the list is intentionally short - Kinde for authentication, the hosting region for Postgres, plus future additions for managed AI inference and document delivery as those features ship. We will list each provider as it is onboarded and notify customers thirty days before a new subprocessor gains access to Customer Data.
Responsible disclosure
If you find a vulnerability, send the details to [email protected]. We acknowledge within five business days, agree on a reproduction with you, and commit to a patch window of up to ninety days before any public discussion. We credit reporters by name in the changelog unless you ask us not to. We do not pursue legal action against researchers acting in good faith under this policy and we do not require an NDA for the initial report.
The machine-readable contact lives at /.well-known/security.txt per RFC 9116.
Compliance posture
SOC 2 Type II is on the roadmap. Engagement planned for H2 2026 pending pilot client commitments. We do not claim a current report and we will not stamp one onto a sales page that does not exist. What we maintain today are the technical controls a Type II auditor expects to find - append-only audit logs, classified fields, encrypted storage, a tenant-isolation test suite, MFA on every operator account - so that when the engagement opens the controls do not have to be invented.
HIPAA. The codebase is HIPAA-compatible: PHI columns are reserved, the encryption wrapper is wired, audit logging covers PHI access. HIPAA mode requires (1) a signed Business Associate Agreement and (2) production encryption. Scaffolding is in place; preconditions are enforced on opt-in - a tenant cannot claim HIPAA posture until both levers land. View the BAA template.
GDPR. We act as a processor for Customer Data and execute Data Subject Requests forwarded by the controlling tenant. View the DPA template.