Security

Designed for confidential product documentation.

The MVP uses managed authentication, storage, and payment infrastructure with strict role boundaries.

Restricted file access

Client uploads and deliverables are stored in project-specific paths and protected through Supabase policies.

Role-based portal

Clients see their own organization projects. Admins manage dossier status, messages, files, and deliverables.

Admin MFA

Admin accounts should require Supabase MFA before production launch, especially before client files are uploaded.

Payment separation

Stripe handles card data. The app stores order status and Stripe identifiers, not raw payment-card information.

Audit logging

The schema includes audit logs for project, message, file, lead, and order actions so sensitive activity can be reviewed.

Retention controls

Retention language separates active project work, final deliverables, audit records, and deletion requests.