Security

Security is an operating system, not a badge.

Service Calls IQ is being built with layered tenant, identity, data, change, monitoring, and recovery controls. External assurance claims remain gated.

Implemented foundation

  • Server-bound tenant transaction context and forced PostgreSQL row-level security
  • Composite tenant foreign keys and adversarial cross-tenant database tests
  • Append-only audit-event protection at the database layer
  • Strict TypeScript, locked dependencies, lint, tests, builds, and CI
  • Safe logging redaction defaults and no secrets in the repository

Planned production controls

Production work includes MFA and privileged-access controls, short-lived AWS identity, multi-account logging, encryption/KMS, WAF, secrets rotation, vulnerability and dependency management, incident response, vendor review, backup/restore exercises, observability, and independent security testing.

Claims boundary

Service Calls IQ is not claiming a SOC 2 report, HIPAA compliance/certification, PCI compliance, ISO certification, FedRAMP authorization, CMMC certification, or an accessibility certification. Those outcomes require external, contractual, operational, legal, and evidence prerequisites beyond software implementation.