Security
Last Updated: April 20, 2026
Version: 1.1
Status: PUBLISHED
Our Security Commitment
Ridgecrest Works LLC takes the security of your data and the Denouement Platform seriously. This page describes our security practices and provides information for reporting security concerns.
We maintain a Written Information Security Program (WISP) consistent with California Civil Code §1798.81.5.
Data Protection
Encryption
- All data transmitted to and from the Platform is encrypted using TLS 1.2 or higher
- All data stored in the Platform is encrypted at rest using AES-256 or equivalent
- Database credentials and API keys are stored in a dedicated secrets management system — never in application code
- Financial amounts are stored as integer cents to prevent floating-point precision loss
Access Controls
- All production systems require multi-factor authentication (MFA)
- Access to sensitive systems follows the principle of least privilege — personnel only access what they need to perform their job
- Access permissions are reviewed regularly
- Contractor access is revoked within 24 hours of engagement end
Row-Level Security (RLS)
- 16 database tables enforce Row-Level Security through 50 policies
- Every table containing event, vendor, payment, or user data is RLS-protected
- Planners see all data for events they manage
- Vendors see only their own payment records, documents, and dependency-linked vendor timelines
- Clients see payments they owe and event-level summaries
- Delegated clients inherit their inviter's access scope
- Subcontractor data (vendors and payments) is invisible to clients at the database level — not just hidden in the UI
Multi-Tenancy Isolation
Denouement operates a multi-tenant architecture where each event is an isolated data boundary. We enforce strict tenancy bulkheading:
Channel-Level Isolation
- Each event receives a dedicated phone number and email address
- Inbound messages (SMS, email) are resolved to a specific event by the destination channel — the system never scans across events
- Documents sent to one event's channel cannot be ingested into a different event
Identity Verification
- Inbound senders are verified against a two-tier identity system:
- Event members (Tier 2): full access, documents processed automatically based on trust rules
- Platform users (Tier 1): recognized but not authorized for this event — queued for planner approval
- Unknown senders: messages held in a review queue; documents are not processed until the planner approves
- This prevents unauthorized document ingestion and data access across event boundaries
Service-Level Enforcement
- All server-side queries on event-scoped data include explicit event ID filters
- Privileged service operations (bypassing RLS for background processing) manually enforce event scoping
- Search results are role-specific: vendors cannot see other vendors' data; clients cannot see subcontractor information
- Vendor matching prioritizes the planner's trusted network before broader lookups
Application Security
CIS Benchmark Compliance
Denouement undergoes automated CIS benchmark auditing on every code change. Our compliance score: 33 automated checks, 96% pass rate. Audited areas:
Transport & Headers (9 checks)
- HTTP Strict Transport Security (HSTS): 1-year max-age with includeSubDomains and preload
- Content Security Policy (CSP): restrictive policy allowing only verified domains
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera, microphone, geolocation restricted
- Cross-Origin-Opener-Policy: same-origin
- Cross-Origin-Resource-Policy: same-origin
- X-Powered-By header removed
Session Management (4 checks)
- Cookies: Secure flag (production), HttpOnly, SameSite=Lax
- Server-side session validation on every request via cryptographic token verification
- No client-side session storage of sensitive data
Input Validation (3 checks)
- Server action body size limits enforced
- Webhook signature verification (HMAC-SHA1 for Twilio, HMAC-SHA256 for Stripe, Svix-signed payloads for Resend inbound email)
- HTML output escaped in all email notifications
Access Control (3 checks)
- Row-Level Security on all 16 tables
- Authentication verified in all server actions (8 action files audited)
- Service role key isolated to server-side code only (never prefixed with NEXT_PUBLIC_)
Availability (3 checks)
- Rate limiting on all API routes (60 req/min standard, 30 req/min for ingest webhooks, 10/15min for auth)
- No stack traces exposed in API responses
- Production source maps disabled
Cryptography (3 checks)
- Password minimum length enforced
- Financial amounts stored as integer cents (no floating-point arithmetic)
- Timing-safe comparisons used for all signature verification (prevents timing attacks)
Multi-Tenancy (8 checks)
- Email ingest resolves events by slug/hash (not global scan)
- SMS ingest resolves events by provisioned phone number
- Sender identity verified against resolved event
- Pending sender approval requires planner role verification
- Vendor matching scoped to planner's trusted network
- Service client queries enforce event_id
- Concierge SMS resolves event by provisioned number
Dependency Security
- npm audit runs on every code change — zero known vulnerabilities
- 595 dependencies audited for license compliance
- All dependencies use approved open-source licenses (MIT, Apache-2.0, BSD, ISC, or equivalent)
- License certification report generated and archived on every build
Static Analysis
- ESLint with security plugin (
eslint-plugin-security) enforces:
- No unsafe regular expressions
- No eval with expressions
- No timing-attack-vulnerable comparisons
- No CSRF bypass patterns
- TypeScript strict mode enabled — catches null safety and type coercion issues
Secret Scanning
- Automated scanning for hardcoded API keys, tokens, and credentials in source code
- Service role keys verified to be server-side only
- Environment variables validated against exposure patterns
Platform Availability and Reliability
We use reputable cloud infrastructure providers with enterprise-grade availability commitments. We monitor Platform health continuously and maintain incident response procedures.
During our beta period, we do not guarantee a specific uptime SLA. Enterprise clients may negotiate availability commitments in their service agreement.
Vulnerability Management
- We conduct dependency scanning for known vulnerabilities on every code change
- Critical and high-severity security patches are applied promptly
- Automated security pipeline runs on every push and pull request
- CIS benchmark compliance is verified automatically — failures block deployment
To report a security vulnerability: Please contact us at security@denouement.ai before public disclosure. We will acknowledge your report within 48 hours and work with you on responsible disclosure.
Vendor Security
All third-party sub-processors who access your data are required to:
- Maintain security practices at least as protective as our own
- Execute a Data Processing Agreement with us
- Notify us promptly of any security incidents affecting your data
Our current sub-processor list is available on our DPA page.
Incident Response
In the event of a security incident affecting your personal information, we will:
- Notify you within 48 hours of becoming aware of the breach
- Provide details of what data was affected and what steps we are taking
- Work with you to fulfill any regulatory notification obligations
- Conduct a root cause analysis and implement remediation measures
We maintain cyber liability insurance to support breach response.
Compliance
Our security practices are designed to be consistent with:
- California Civil Code §1798.81.5 (reasonable security for personal information)
- California Civil Code §1798.82 (breach notification)
- CCPA/CPRA data security requirements
- CIS Controls framework (33 automated checks, verified on every deployment)
- OWASP Top 10 (addressed through static analysis, input validation, and output encoding)
Your Role in Security
You can protect your Denouement account by:
- Using a strong, unique password
- Enabling two-factor authentication (available in account settings)
- Not sharing your login credentials
- Logging out when using shared devices
- Reporting suspicious account activity to security@denouement.ai immediately
Security Contact
To report a security concern, suspected breach, or vulnerability:
Email: security@denouement.ai
Response time: 48 hours
For general privacy questions, see our Privacy Policy.
Revision History
| Version | Date | Changes |
|---|---|---|
| 1.0 | April 13, 2026 | Initial publication |
| 1.1 | April 20, 2026 | Added: Row-Level Security details (16 tables, 50 policies), multi-tenancy isolation (channel-level, identity verification, service-level), CIS benchmark compliance (33 checks), dependency security (595 packages), static analysis, secret scanning, OWASP Top 10 reference, revision history |
© 2026 Ridgecrest Works LLC. All rights reserved. Denouement is a trademark of Ridgecrest Works LLC.