Restricted file access
Client uploads and deliverables are stored in project-specific paths and protected through Supabase policies.
Security
The MVP uses managed authentication, storage, and payment infrastructure with strict role boundaries.
Client uploads and deliverables are stored in project-specific paths and protected through Supabase policies.
Clients see their own organization projects. Admins manage dossier status, messages, files, and deliverables.
Admin accounts should require Supabase MFA before production launch, especially before client files are uploaded.
Stripe handles card data. The app stores order status and Stripe identifiers, not raw payment-card information.
The schema includes audit logs for project, message, file, lead, and order actions so sensitive activity can be reviewed.
Retention language separates active project work, final deliverables, audit records, and deletion requests.