Enterprise-Grade Security

Security You Can Trust

We take the security of your food safety documentation seriously. Here's how we protect your data.

Your Documents Never Leave Google Drive

Food Safety Audit is designed with a "references only" architecture. We store links and metadata about your documents, but your actual files remain securely in your Google Drive. This means:

  • Your documents are protected by Google's enterprise security
  • You maintain full control over your files and sharing settings
  • If you cancel, your documents are still safe in your Drive
  • No risk of document loss from our service

Security Measures

Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure transport layer protocol.
  • TLS 1.3 encryption
  • HTTPS enforced on all endpoints
  • HSTS enabled
  • Perfect forward secrecy
Encryption at Rest
Data stored in our database is encrypted using AES-256 encryption, the same standard used by governments and financial institutions.
  • AES-256 encryption
  • Encrypted database backups
  • Secure key management
  • Regular key rotation
Authentication
We use Google OAuth 2.0 for secure authentication, leveraging Google's enterprise-grade security infrastructure.
  • OAuth 2.0 via Google
  • No passwords stored
  • Session tokens with expiration
  • Secure cookie handling
Access Controls
Granular role-based access control (RBAC) ensures team members only access what they need.
  • Role-based permissions
  • Category-level access control
  • Audit trail for all actions
  • Admin-controlled user management
Audit Logging
Comprehensive logging of all system activities for security monitoring and compliance purposes.
  • User activity logs
  • Document access tracking
  • Login/logout events
  • Permission change history
Data Handling
Your documents stay in Google Drive. We only store references and metadata necessary to provide the service.
  • Documents remain in your Drive
  • Metadata stored securely
  • No document content storage
  • Transient AI processing only

Google OAuth Scopes

We follow the principle of least privilege, requesting only the minimum permissions necessary to provide our service.

ScopePurposeWhat We Access
openidVerify your identityYour Google account ID
emailAccount identificationYour email address
profileDisplay your nameYour name and profile picture
drive.readonlyRead document metadataFile names, IDs, and folder structure (read-only)

Subprocessors

We partner with industry-leading service providers to deliver our platform securely.

ProviderPurposeLocationData Processed
Google Cloud PlatformAuthentication (OAuth 2.0)United StatesAccount credentials, authentication tokens
StripePayment processingUnited StatesBilling information, payment details
TiDB Cloud (PingCAP)Database hostingUnited StatesApplication data, user records, document metadata
CloudflareCDN, DDoS protection, DNSGlobalTraffic data, IP addresses
OpenAIAI document categorizationUnited StatesDocument metadata (transient, not stored)
Manus PlatformApplication hostingUnited StatesApplication runtime data

Incident Response

Security Incidents
In the event of a security incident affecting your data, we commit to:
  • Notify affected users within 72 hours
  • Provide details on the nature and scope
  • Explain remediation steps taken
  • Offer guidance on protective measures
Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities.

If you discover a security vulnerability, please report it to:

[email protected]

We will acknowledge receipt within 48 hours and work with you to understand and address the issue.

Compliance Roadmap

We are committed to continuous improvement of our security posture.

Current

Security Controls Implementation

Our security controls align with SOC 2 Type I requirements. We implement encryption, access controls, audit logging, and incident response procedures.

Planned

SOC 2 Type II Certification

We are working toward SOC 2 Type II certification to provide independent verification of our security controls.

Questions About Security?

We're happy to discuss our security practices in more detail. For enterprise customers, we can provide additional documentation and participate in security reviews.