Authentication and access
- NextAuth based authentication
- Workspace scoped role model (Owner/Admin/Member)
- Route level authorization checks on API handlers
Trust center
Security and trust posture
This page summarizes technical controls, data handling expectations, and operational transparency links.
Operational safeguards
- API rate limits for auth sensitive and data heavy routes
- Approval events and audit timeline persistence
- Plan based feature gating for premium workflow endpoints
Data handling
- Invoice and workspace data stored in PostgreSQL
- Attachment storage through Vercel Blob when configured
- Export and deletion paths available from product workflows
Compliance and governance
SOC 2 Type II readiness artifacts are maintained as part of the ongoing control program. Procurement review requests can be sent tohello@incaty.com.