Security Overview

Every organization’s data is isolated at the database layer using row-level security. Access is scoped to the caller’s organization on every query, so one customer cannot read or write another customer’s data. This is enforced in the database, not only in application code.

Data is encrypted in transit using TLS and at rest by our infrastructure providers. OAuth tokens for third-party integrations are additionally encrypted at the application layer with AES-256-GCM, and encryption keys are never written to logs.

Role-based access control (admin, member, viewer) governs what each user can do, enforced on the server. Production access is restricted to authorized personnel and is logged. Multi-factor authentication and enterprise single sign-on are on the near-term roadmap (see status below).

Security-relevant actions are recorded to an append-only audit log with the actor, timestamp, and source IP address. Administrators can review account activity, and audit export is available to enterprise customers.

Standing controls in the application include:

• Content Security Policy, HSTS, and clickjacking protection on all responses.
• Rate limiting on sensitive endpoints, with expensive operations failing closed.
• Request size limits and input sanitization, including defenses against prompt injection.
• Signed, replay-protected payment webhooks.
• Structured logging that never records secrets, tokens, or stack traces in production output.

Errors and anomalies are captured through our monitoring provider. We maintain a health endpoint for uptime monitoring and are building out alerting and a public status page.

• SOC 2 Type II: in progress. We are implementing the controls and will begin the observation window before claiming certification.
• GDPR / CCPA: we support data export and deletion requests and align our practices to these regulations.
• Enterprise SSO (SAML / OIDC), SCIM, and enforced MFA: on the active roadmap; not yet generally available.

We will update this section as controls move from in-progress to live. If you have a security questionnaire, send it to security@benchside.ai and we will complete it accurately.

We welcome responsible disclosure. Email security@benchside.ai with details and steps to reproduce. Please do not test against production data belonging to other customers.