Security
Security is an operating system, not a badge.
Service Calls IQ is being built with layered tenant, identity, data, change, monitoring, and recovery controls. External assurance claims remain gated.
Implemented foundation
- Server-bound tenant transaction context and forced PostgreSQL row-level security
- Composite tenant foreign keys and adversarial cross-tenant database tests
- Append-only audit-event protection at the database layer
- Strict TypeScript, locked dependencies, lint, tests, builds, and CI
- Safe logging redaction defaults and no secrets in the repository
Planned production controls
Production work includes MFA and privileged-access controls, short-lived AWS identity, multi-account logging, encryption/KMS, WAF, secrets rotation, vulnerability and dependency management, incident response, vendor review, backup/restore exercises, observability, and independent security testing.
Claims boundary
Service Calls IQ is not claiming a SOC 2 report, HIPAA compliance/certification, PCI compliance, ISO certification, FedRAMP authorization, CMMC certification, or an accessibility certification. Those outcomes require external, contractual, operational, legal, and evidence prerequisites beyond software implementation.