Security & Data Architecture

AcreSeal is built for regulated environments. This page describes how we protect utility and landowner data at every layer of the platform.

Data Architecture Overview

  • Supabase (PostgreSQL) database hosted on AWS US East (Virginia)
  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • PostGIS extension for spatial queries and pole geolocation
  • Vercel Edge Network for global CDN and DDoS protection

Access Control

  • Row Level Security (RLS) enforced on all database tables
  • Role-based access: landowner (public, anonymous), utility_manager (authenticated), field_inspector (authenticated), puc_auditor (read-only)
  • Authentication via Supabase Auth — email magic link for utility staff
  • Session management with automatic refresh and expiry
  • No passwords stored — magic link authentication eliminates credential theft risk

Forensic Data Integrity

  • Every record (complaint, inspection, resolution) receives a SHA-256 hash computed from the record content and timestamp
  • Hash chain: each record's hash links to the previous record's hash, creating an append-only audit trail
  • Any modification to any record breaks the chain and is immediately detectable
  • Photo integrity: SHA-256 hash of raw photo bytes stored alongside each image
  • EXIF metadata (GPS coordinates, timestamp, device info) preserved and embedded as provenance data
Verify any record's integrity →

Landowner Privacy

  • Landowners may report anonymously — name, phone, and email are optional
  • Personal information is never shared with third parties
  • Aggregated, anonymized data may be used for community infrastructure insights
  • All PII fields are access-restricted via RLS — only the assigned utility can view reporter contact information

API & Application Security

  • Input validation via Zod schemas on all API endpoints
  • Rate limiting on public endpoints (complaint submission, status check)
  • CAPTCHA (Cloudflare Turnstile) on anonymous forms to prevent automated submissions
  • Content Security Policy headers enforced via Vercel configuration
  • Google Maps API key restricted by HTTP referrer and API scope

Compliance

  • Designed for Texas HB 144 (Sec. 38.103) and SB 1789 compliance documentation
  • Audit-ready: complete chain of custody for every complaint from intake to resolution

SOC 2 Compliance Roadmap

AcreSeal is architected with SOC 2 Type II controls from the ground up. We are pursuing formal certification on the following timeline:

Q2 2026 — Gap Assessment Complete

Third-party readiness assessment against Trust Services Criteria

Q3 2026 — Type I Audit

Point-in-time assessment of control design and implementation

Q1 2027 — Type II Certification

Full observation period audit covering Security, Availability, and Confidentiality

Uptime & Availability

  • 99.9% uptime SLA for enterprise customers — measured monthly, excluding scheduled maintenance windows
  • Multi-region deployment via Vercel Edge Network with automatic failover across global PoPs
  • Database backups every 24 hours with point-in-time recovery up to 7 days
  • Scheduled maintenance windows announced 72 hours in advance via email and status page

Incident Response

  • Detection: Automated monitoring with alerts on anomalous access patterns, error rate spikes, and database query anomalies
  • Response time: Critical incidents acknowledged within 1 hour, root cause analysis within 24 hours
  • Notification: Affected customers notified within 4 hours of confirmed data incidents via email and in-app banner
  • Post-incident: Full incident report with root cause, impact assessment, and remediation steps published within 5 business days
  • Responsible disclosure: Security researchers may report vulnerabilities to security@acreseal.com

For responsible disclosure or security inquiries, contact security@acreseal.com