Legal and compliance
Security Overview
Last updated: July 8, 2026
This page maps I.S.A.A.C's current controls to the attached pre-launch security checklist. It should be kept current as the product moves from local server to production SaaS.
Implemented controls
- Server-only secrets for Groq, Supabase service role, Stripe, HitPay, and auth signing.
- Signed, expiring, HTTP-only app sessions with login/logout coverage.
- Protected routes and authenticated API endpoints for private dashboard data.
- Hashed agent API tokens with revoke, rotate, usage logging, and per-plan limits.
- CSV upload limits for file type, size, files per workspace, and saved rows.
- CSV export formula-injection mitigation.
- Same-origin checks on destructive dataset/account routes.
- Security headers for content security policy, framing, MIME sniffing, referrer policy, and permissions.
- Login, AI, dataset write, and agent API rate limiting foundations.
- Stripe and HitPay webhooks reject invalid signatures before granting paid access.
- Audit logs and usage logs for important account, AI, API, and billing events.
Checklist coverage
- No exposed frontend API keys: keep all private keys out of client code and screenshots.
- Input validation: validate browser input and repeat validation on every server route.
- Unsafe forms: limit fields, reject unexpected values, and rate limit public forms.
- Access control: verify organization ownership before reading, saving, deleting, or billing.
- SQL injection: use parameterized database queries only.
- File uploads: accept CSV only, limit size, avoid public raw-file exposure, and scan future storage paths.
- Payment security: never trust redirect success alone; activate paid plans only from verified webhooks.
- Logging: record suspicious auth, token, billing, and destructive events without dumping raw CSV contents.
- Dependency security: run dependency audit and vulnerability checks before every release.
Operational requirements before public launch
- Use HTTPS in production.
- Replace placeholder support/security emails with real monitored inboxes.
- Set production `AUTH_SECRET`, Stripe keys, HitPay keys, Supabase keys, and Groq keys in the host secret manager.
- Enable persistent rate limits with Redis/Upstash for distributed production traffic.
- Enable Sentry or equivalent error tracking with privacy-safe scrubbing.
- Enable uptime, API error rate, database health, billing webhook, and AI cost alerts.
- Enable GitHub secret scanning, Dependabot, `npm audit`, and at least one SAST scanner such as Semgrep.
- Document a secrets rotation procedure and rotate any key pasted into chat, screenshots, GitHub, or logs.
- Finalize data retention, backup, deletion, and incident response policies.
- Test a normal user account against every protected page and API before launch.
Compliance roadmap
- Malaysia PDPA readiness: privacy notice, consent records, access/correction/deletion flow, retention schedule, processor list, and incident response.
- Payments and tax: Stripe card subscriptions, Malaysian gateway for FPX/DuitNow/e-wallets, invoice/receipt retention, and SST review with an accountant if thresholds are met.
- Enterprise trust: ISO 27001 or SOC 2 Type II is not required for a small MVP, but becomes important for larger business customers.
- App stores: publish privacy labels, account deletion instructions, data collection disclosures, subscription terms, and support contact before Android/iOS submission.
- International launch: review GDPR, UK GDPR, CCPA/CPRA, CAN-SPAM, and other local rules before actively marketing in those regions.
Recommended security test commands
npm run build npx tsc --noEmit npm run qa:e2e npm run qa:ui npm run qa:full-ui npm audit --audit-level=high
Security contact
Report vulnerabilities to security@example.com. Replace this placeholder before public distribution and monitor it daily.