Your production data is the moat. We treat it that way.

Tenant isolation

Every piece of production data in soXal is tagged with the organization (or individual user) that owns it. Database-level row security policies enforce that boundary on every read and write — not in application code where a bug could leak data, but in the database itself, where the rule is mechanical.

You see your organization’s data. You do not see another organization’s data. The xHand module — pay stubs, W-2s, 1099s, personal records — is scoped to YOU as a user, not your organization. Org admins cannot see member xHand documents. We verify this with both database policy tests and live audits.

Authentication

We use passwordless magic-link authentication by default — you receive a one-time link by email, click it, and you’re in. No password to remember, no password to leak.

For organizations that prefer passwords, we enforce a 12-character minimum with required mixed case, digits, and symbols. Recently-changed-password enforcement requires recent reauthentication. Email change requires confirmation from both the old and new address.

Compromised-password screening (HaveIBeenPwned) is on our roadmap for the paid tier.

Encryption

All traffic between your browser and soXal is encrypted with TLS 1.3. Production databases encrypt data at rest with AES-256. Document uploads go to encrypted object storage. Secrets and API keys are managed by our hosting providers and never written to logs.

AI training — default off, opt-in available

By default, your data is not used to train any AI model. When the AI TD answers a question, the relevant chunks of your documents are sent to the model in-context for that single response, then discarded. We use Anthropic and Voyage AI to power AI TD’s Q&A + embedding search; our contracts with them prohibit training their models on your content, full stop.

You can opt in to contribute — in two tiers, both default off. Some of our design partners want to help soXal grow by contributing to a shared pool of industry knowledge. We support that with an explicit, auditable opt-in:

• Tier 1 — Aggregate Industry Intelligence.
  Your data joins anonymized aggregates: gear-cabinet usage patterns, vendor pricing bands, labor-cost ranges by classification. Minimum cell size of n=5 — no aggregate ever exposes data from fewer than five orgs. Individual shows, vendors, and people are never identifiable.
• Tier 2 — soXal Model Training.
  Your data trains soXal’s own internal models (pricing models, embedding models, caveat-pattern miners). NOT Anthropic, NOT Voyage — their vendor contracts still prohibit them training on your data even when you’ve opted into Tier 2.

What we strip, every time, no exception. Even when you opt in, the following are removed before any data enters an aggregate or training pipeline: individual people’s names, contact info (phone, email, address), government identifiers, financial account numbers, individually- identifiable health information. The DATA — gear lists, pricing, advance structure, post-mortem learnings — is fair game when you opt in. The PEOPLE never are.

xHand is separate. Personal records (paystubs, W-2s, 1099s, expenses) use a separate opt-in flag set by you as an individual user. Your org admin cannot opt your xHand data in on your behalf.

Auditable. Every opt-in / opt-out change is recorded with timestamp, actor, and optional reason in an immutable ledger. Visible at /app/settings/data-contribution for your org. Opt out any time; we honor delete-on-request within 7 days.

Citations + audit trail

Every AI TD answer ships with citations linking back to the source documents it pulled from. Every AI-driven recommendation — staffing, vendor matches, layout suggestions, BidSmith draft bids — is logged with the reasoning, the citations, and a human-approval status.

BidSmith bids are even more granular: every dollar in a generated bid traces back to a specific CBA source page, fringe rule, or platform-shared caveat. You can defend any number in any bid back to a published source.

Privileged operations

Server-side operations that bypass row security — ingestion jobs, batch embeddings, admin reports — run in narrowly-scoped functions with short search paths, explicit grant lists, and least-privilege roles. The functions used during normal user requests can’t access data outside the caller’s scope.

Admin reviews happen on a separate authentication path with additional gating; even the founder cannot read individual users’ xHand documents without explicit access policy.

Rate limiting + abuse defense

Every public-facing endpoint enforces per-IP and per-user rate limits. Repeated failed authentications, AI queries past your organization’s spend cap, and suspect upload patterns all surface in the admin control room. Hashed IPs identify abuse without retaining raw network addresses.

Subprocessors

We use a small set of vetted vendors. None of them receive your data outside the narrow purpose listed.

• SupabaseDatabase, auth, object storageUS
• VercelApplication hostingUS (Washington DC region)
• AnthropicAI inference (Claude)US — no training on your data
• Voyage AIEmbeddingsUS — no training on your data
• CloudflareDNS + edge / CDNGlobal
• Microsoft ClarityAnonymized session analytics (opt-out via DNT)US

When we add or change a subprocessor, we update this list. Material changes get email notice to active organizations.

Compliance roadmap

soXal is a private-beta product built by a working IATSE technician. We are precise about what we have and what we don’t:

• Encryption in transit + at rest
  in place
• Row-level data isolation
  in place
• Audit logging on AI decisions
  in place
• Vendor AI training prohibition
  in place
• Documented incident response plan
  in place
• Vulnerability disclosure program
  in place
• SOC 2 Type II report— targeted after design partner program
  roadmap
• Penetration test by independent firm— planned alongside SOC 2 prep
  roadmap
• Multi-factor authentication enforcement— available as opt-in; mandatory for paid tier
  roadmap
• HaveIBeenPwned password screening— paid-tier feature
  roadmap

We’d rather be honest about a Phase-3 control than imply we have something we don’t. If a specific compliance question gates a procurement decision, email us at allen@soxal.co and we’ll respond directly.

Incident response

If we discover a security incident affecting an organization, we notify them within 72 hours with what we know, what we don’t know, and what we’re doing about it. If the incident affects regulated data — payroll information, health benefit records, government IDs — we follow the applicable state and federal notification timelines.

You can reach our security team at allen@soxal.co at any time.

Vulnerability disclosure

If you find a security issue in soXal, please report it privately to allen@soxal.co. We acknowledge within 2 business days and aim to triage within 5. We don’t currently run a paid bug bounty, but we recognize good-faith research, will not pursue legal action against researchers operating in good faith, and will credit you (with your permission) once an issue is resolved.

Please don’t disclose details publicly before we have had a chance to remediate. Please don’t test against other customers’ data — create a test account and we’ll set you up with a controlled environment.

What we do NOT do

We don’t sell your data. We don’t share it with advertisers. We don’t train AI on it. We don’t expose individual shows, vendors, or crew in any public-facing aggregate. We don’t auto-fill financial data without your confirmation. We don’t take irreversible actions on your behalf without explicit consent.

Questions

For security questions, vendor diligence, or compliance questionnaires, email allen@soxal.co. For data-deletion requests or general privacy questions, see our Privacy Policy. For the rules of the road, see our Terms of Service.