Security & Trust

Security & Trust

Cursus is designed from the ground up so that organizational intelligence never becomes individual surveillance — enforced by architecture, not by policy.

Intelligence, not surveillance. That is the principle behind every feature we build.

Core principles

Four principles that govern every feature.

Aggregation-first

Every metric, score, and dashboard in Cursus is computed at the group level. Minimum aggregation thresholds are enforced before any result is returned — no exceptions, no overrides.

Configurable content access

Organizations choose their content access tier: aggregate-only analytics by default, NLP-at-ingestion for sentiment extraction (raw text discarded), or anonymized content for deeper analysis. The organization controls the depth — Cursus enforces the boundary.

Organizational consent model

Data collection decisions are made at the organizational level by administrators. Individual privacy rights (GDPR, etc.) are handled through HR and legal processes — the organization is the data controller. Cursus enforces the aggregation boundary so that even admins cannot drill down to individual-level data.

Immutable audit trail

Every data access, score computation, and administrative action is logged to an append-only audit log. Administrators can review any access event. Audit logs cannot be deleted or modified.

SOC 2 Type II — Audit In Progress

All SOC 2 technical controls are implemented and operational.

Formal audit engagement is in progress. The controls below are live in production today.

AES-256-GCM encryption at rest

All sensitive data encrypted using AES-256-GCM before storage. Integration credentials encrypted at the field level.

TLS 1.3 encryption in transit

All data transmitted between clients, servers, and third-party services is protected with TLS 1.3.

Role-based access control (RBAC)

Per-role data partitioning ensures leaders see only their scoped groups. Individual data is architecturally inaccessible to manager roles.

Immutable audit logs

Every data mutation, access event, and administrative action logged to an append-only audit trail. Cannot be deleted or modified.

GDPR Article 15 & 17 compliance

Full data export (Art. 15) and complete data erasure (Art. 17) built into the platform with rate-limiting and confirmation safeguards.

Rate limiting on all API endpoints

AI routes limited to 20 requests/minute, tRPC routes to 120 requests/minute. Edge-safe, in-memory rate limiting.

Security headers

HSTS, Content Security Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy enforced on all responses.

Field-level encryption for credentials

AES-256-GCM encryption on integration credentials, OAuth tokens, and service account keys. Decrypted only in the adapter layer.

Aggregation-first privacy architecture

Individual behavioral data is never surfaced to managers. Aggregation thresholds enforced at the database query layer, not application code.

Privacy by design

How We Protect Your Data

Minimum group size enforcement

No metric or score is ever returned unless the underlying group meets a minimum size threshold (default: 5 members). This prevents any individual from being identified through small-group analysis.

No individual data in manager views

Leaders and executives see group-level aggregates only. Individual behavioral signals are architecturally unreachable from these roles — the data is not filtered out, it is never available in the first place.

Content access requires explicit opt-in

Communication platform integrations use metadata only by default (who communicates with whom, frequency, response time). Message content is never accessed unless the organization explicitly opts in, with separate consent tracked per integration.

Multi-tenant data isolation

All data is scoped by organization at the database level using Row Level Security. Every query is automatically scoped — there is no way for one tenant to access another tenant's data, even accidentally.

Encrypted credential storage

Integration credentials (API keys, OAuth tokens, service account keys) are encrypted at rest using AES-256 before storage. Credentials are never exposed in responses and are only decrypted when actively used by an integration.

Source attribution on every score

Every score and metric in the platform shows which data sources contributed to its computation. You can always inspect the provenance of any number displayed in Cursus.

Data residency

Your data stays where you need it.

Tenant isolation

All tenant data is isolated via Supabase Row Level Security (RLS). Every query is scoped at the database level. No application-level tenant filtering needed.

US region (default)

Database and storage are hosted in the United States by default. Frontend assets are served via a global CDN for performance.

Enterprise region choice

Enterprise customers can select their preferred data region (US, EU, APAC) for database and storage. Contact us to discuss requirements.

Hybrid cloud deployment

Enterprise only · Coming soon

Enterprise customers can opt for a hybrid deployment where organizational data remains on your infrastructure, with only aggregated intelligence metrics flowing to the Cursus platform. On-premises data hosting is available for organizations with strict data sovereignty requirements.

Data privacy model

Three levels of privacy protection.

Privacy in Cursus is enforced by architecture at three distinct levels — not by policy, not by configuration, but by how the system is built.

Organization Level

The org decides what data is collected

Administrators configure which data sources are active and what depth of content analysis is acceptable. Three tiers: aggregate-only analytics, NLP-at-ingestion (raw text discarded), or anonymized content. The organization controls the scope.

Employment Level

Individual rights handled externally

Individual privacy rights under GDPR, CCPA, and other regulations are managed through the organization's existing HR and legal processes. The organization is the data controller. Cursus is the processor — we act on the organization's instructions.

Platform Level

Cursus enforces the aggregation boundary

Even the organization's own administrators cannot drill down to individual-level behavioral data. Minimum group size thresholds are enforced at the database level. This is not a permission — it is an architectural constraint that cannot be overridden.

Sub-processors

Third-party services we use.

See the full sub-processors list for more detail.

Sub-processorPurposeData Region
SupabaseDatabase, authentication, file storageUnited States (configurable)
VercelFrontend hosting, edge networkGlobal CDN
AnthropicAI inference (Lumen)United States
StripePayment processingUnited States
ResendTransactional emailUnited States
PostHogProduct analytics (cookieless)United States / EU

Compliance

Built for regulated environments.

SOC 2 Type II

In Progress

All technical controls implemented and operational. Formal audit engagement in progress.

GDPR-ready architecture

Implemented

Data residency, right to erasure, and consent management built into the data model

CCPA compliance

Implemented

Data subject request support and organizational consent model included

HIPAA

Roadmap

Required for healthcare customers — architecture is compatible

Data Processing Agreement (DPA)

GDPR Article 28 compliant. Covers controller/processor roles, sub-processors, and cross-border transfer mechanisms. Coming soon — legal review in progress.

View legal documents

Compliance questions?

We can walk through the privacy architecture, data model, and controls against your requirements.

Talk to us
Privacy Policy·Legal·Sub-Processors

Have security or compliance questions?

We’re happy to walk through the privacy architecture, data model, and security controls in detail — including a review against your organization’s specific requirements.

Talk to us