I.S.A.A.C

Legal and compliance

Security Overview

Last updated: July 8, 2026

This page maps I.S.A.A.C's current controls to the attached pre-launch security checklist. It should be kept current as the product moves from local server to production SaaS.

Implemented controls

  • Server-only secrets for Groq, Supabase service role, Stripe, HitPay, and auth signing.
  • Signed, expiring, HTTP-only app sessions with login/logout coverage.
  • Protected routes and authenticated API endpoints for private dashboard data.
  • Hashed agent API tokens with revoke, rotate, usage logging, and per-plan limits.
  • CSV upload limits for file type, size, files per workspace, and saved rows.
  • CSV export formula-injection mitigation.
  • Same-origin checks on destructive dataset/account routes.
  • Security headers for content security policy, framing, MIME sniffing, referrer policy, and permissions.
  • Login, AI, dataset write, and agent API rate limiting foundations.
  • Stripe and HitPay webhooks reject invalid signatures before granting paid access.
  • Audit logs and usage logs for important account, AI, API, and billing events.

Checklist coverage

  • No exposed frontend API keys: keep all private keys out of client code and screenshots.
  • Input validation: validate browser input and repeat validation on every server route.
  • Unsafe forms: limit fields, reject unexpected values, and rate limit public forms.
  • Access control: verify organization ownership before reading, saving, deleting, or billing.
  • SQL injection: use parameterized database queries only.
  • File uploads: accept CSV only, limit size, avoid public raw-file exposure, and scan future storage paths.
  • Payment security: never trust redirect success alone; activate paid plans only from verified webhooks.
  • Logging: record suspicious auth, token, billing, and destructive events without dumping raw CSV contents.
  • Dependency security: run dependency audit and vulnerability checks before every release.

Operational requirements before public launch

  • Use HTTPS in production.
  • Replace placeholder support/security emails with real monitored inboxes.
  • Set production `AUTH_SECRET`, Stripe keys, HitPay keys, Supabase keys, and Groq keys in the host secret manager.
  • Enable persistent rate limits with Redis/Upstash for distributed production traffic.
  • Enable Sentry or equivalent error tracking with privacy-safe scrubbing.
  • Enable uptime, API error rate, database health, billing webhook, and AI cost alerts.
  • Enable GitHub secret scanning, Dependabot, `npm audit`, and at least one SAST scanner such as Semgrep.
  • Document a secrets rotation procedure and rotate any key pasted into chat, screenshots, GitHub, or logs.
  • Finalize data retention, backup, deletion, and incident response policies.
  • Test a normal user account against every protected page and API before launch.

Compliance roadmap

  • Malaysia PDPA readiness: privacy notice, consent records, access/correction/deletion flow, retention schedule, processor list, and incident response.
  • Payments and tax: Stripe card subscriptions, Malaysian gateway for FPX/DuitNow/e-wallets, invoice/receipt retention, and SST review with an accountant if thresholds are met.
  • Enterprise trust: ISO 27001 or SOC 2 Type II is not required for a small MVP, but becomes important for larger business customers.
  • App stores: publish privacy labels, account deletion instructions, data collection disclosures, subscription terms, and support contact before Android/iOS submission.
  • International launch: review GDPR, UK GDPR, CCPA/CPRA, CAN-SPAM, and other local rules before actively marketing in those regions.

Recommended security test commands

npm run build
npx tsc --noEmit
npm run qa:e2e
npm run qa:ui
npm run qa:full-ui
npm audit --audit-level=high

Security contact

Report vulnerabilities to security@example.com. Replace this placeholder before public distribution and monitor it daily.