// Security controls

Security Overview

A factual overview of the controls currently implemented in the EdgePoint Strategy client platform and its hosting environment.

Public trust documentLast updated July 10, 2026

Questions can be sent to [email protected].

Current control summary

Control areaCurrent implementation
Transport securityHTTPS is enforced for the public domain through Cloudflare and Railway. Data sent between a browser and the production application is protected with TLS.
Storage encryptionApplication data is stored in Railway PostgreSQL and a Railway Volume. Railway states that customer project data is encrypted at rest. EdgePoint does not currently apply separate application-level encryption to each database field or uploaded file.
AuthenticationBetter Auth provides password and optional OAuth authentication, signed session cookies, session expiration, origin checks, and password hashing. Sessions are configured to expire after 30 days.
AuthorizationProtected pages and API routes verify the current session. File and analysis endpoints scope records to the authenticated user, with organization roles and a restricted administrative allowlist for administrative functions.
File accessUploaded files are not exposed through public object URLs. Authorized downloads stream through authenticated application endpoints.
AI processingOpenRouter requests enforce zero-data-retention routing and deny providers that collect request content.
Backups and resilienceProduction persistence uses Railway-managed infrastructure and a mounted volume. Recovery capabilities depend on the active Railway plan and configured provider features.

What we do not claim

EdgePoint Strategy does not currently represent this platform as SOC 2 Type II certified. The customer interface does not currently provide a formal customer-facing audit log or continuous vulnerability-monitoring product. Security descriptions are intended to match implemented controls and will be revised when those controls change.

Operational security

  • Secrets are supplied through production environment variables rather than committed to application source.
  • Database access uses the production connection configured for the application service.
  • Private application routes are excluded from public search discovery and require route-level authorization.
  • Dependencies are reviewed for known vulnerabilities and upgraded based on exploitability, compatibility, and production impact.
  • Errors and infrastructure logs are used for troubleshooting and security response. This operational logging is not a customer audit-log feature.

Customer responsibilities

Customers should manage user access, use unique credentials, remove access when roles change, classify documents before upload, submit only authorized content, review AI outputs, and notify EdgePoint promptly about suspected unauthorized activity.

Report a security concern

Send suspected vulnerabilities or security incidents to [email protected] with enough detail to reproduce or investigate the issue. Do not access, alter, or retain data that is not yours while testing a suspected vulnerability.

Assurance and limitations

No system can guarantee absolute security. This overview is not a certification, audit opinion, warranty, or substitute for customer due diligence. Customers with specific contractual or regulatory requirements should request a scoped security review before using the platform for regulated data.