How we protect your data.

We document compliance status honestly. Where a framework is not yet audited, we mark it as such. Nothing on this page represents a certification we have not earned.

• SOC 2 Type II

  Readiness assessment underway. Audit observation window has not started. Interim policies, evidence collection, and control mapping are in progress.
  In progress
• SOC 2 Type I

  Target completion Q4 2026. Targeting a short observation window as a first attestation while Type II controls mature.
  Planned
• GDPR

  Aligned with GDPR principles (lawful basis, minimization, purpose limitation, portability, erasure). DPA template + Article 30 records of processing in draft.
  In progress
• CCPA / CPRA

  Customer rights honored on request via the contact below. Formal notice updates tracked as part of the GDPR rollout.
  In progress
• HIPAA / BAA

  Not applicable — Energy Sync does not process Protected Health Information. Sub-processors are informed of this scope.
  Not applicable
• ISO 27001

  Not pursued today. Revisit after SOC 2 Type II attestation.
  Planned

Four principles guide every design decision, from schema to server action to third-party integration:

What we collect

Energy Sync collects only what each workflow requires. Data falls into three categories:

• Account data — name, email, hashed password, organization, role + capability assignments. Required to authenticate and authorize users.
• Workflow data — what users create or import: customers, locations, meters, RFPs, supplier offers, contracts, commissions (broker); opportunities, pipeline projects, AI-scored matches, bid drafts, counterparty dossiers (IPP). Shown only to members of the same organization.
• Operational data — server logs, request timings, audit events (who did what), error traces. Retained for security investigation and reliability.

Where it lives

• Primary database (PostgreSQL)

  Managed Postgres on Fly.io volumes in the sjc (San Jose, US) region. Encrypted at rest by the provider. Volume snapshots retained per Fly's managed schedule.
  Live
• Uploaded files

  Stored on an encrypted block-storage volume scoped to the application instance. Only server-side code has read access; download URLs are authenticated per request.
  Live
• Transit encryption

  HTTPS-only enforced at the edge. Plaintext HTTP is automatically redirected to TLS.
  Live
• Region residency control

  Single-region deployment in sjc today. Multi-region / EU-resident deployments available on request.
  Planned

Retention, deletion, and export

• Retention — workflow data is retained for the lifetime of the organization's subscription. Server logs are retained for 30 days for reliability and security investigation.
• Deletion — on request we will delete an organization's workspace within 30 days, with cascade removal of child records enforced at the schema level. Backups are purged on their normal rotation cadence after the primary delete completes.
• Export — customers can request a machine-readable export (JSON) of their workspace's data. A self-serve export UI is on the roadmap.

Access is governed by three layers: authentication (who you are), tenancy (what organization you belong to), and capability (what actions your role lets you perform).

• Password hashing

  bcrypt with a per-user salt. Plaintext passwords are never logged, stored, or transmitted after registration.
  Live
• Session management (NextAuth v5)

  Signed JWTs issued on sign-in, delivered via HTTP-only, Secure, SameSite=Lax cookies. Session-signing secrets are rotated per environment. Session capabilities refresh on role changes without re-login.
  Live
• Multi-tenant isolation

  Every server action and page loader resolves the organization from the session and scopes database reads and writes to that organization. Cross-tenant queries are structurally impossible from user-facing code paths.
  Live
• Role-based access control (RBAC)

  Capability registry with role defaults (OWNER / ADMIN / MEMBER / VIEWER) plus per-user allow/deny overrides. A capability check enforces the permission at the action boundary.
  Live
• Audit logging

  Sensitive events (member changes, permission updates, role transitions) write to an append-only audit-log table with actor id, organization id, event type, and a diff payload.
  Live
• Multi-factor authentication (MFA)

  User-facing MFA is not yet implemented. TOTP and WebAuthn are on the roadmap; enforce-MFA-for-admins is the first milestone.
  Planned
• Single Sign-On (SAML / OIDC)

  Planned for customers who require SSO through Okta, Google Workspace, or Entra ID. Not currently available.
  Planned
• IP allowlisting / session pinning

  Not currently offered. Under evaluation as an optional enterprise control.
  Planned

Energy Sync is a Next.js application running on Fly.io with a managed PostgreSQL database. We deliberately keep the infrastructure footprint small so the security boundary is small.

• Hosting: Fly.io

  Fly.io maintains SOC 2 Type II attestation; see their trust page for the current report. App machines run in firecracker micro-VMs with per-tenant isolation. Region: sjc.
  Live
• TLS termination

  Edge proxy handles TLS 1.2+ with automatic certificate renewal. HTTP-to-HTTPS redirect is enforced at the edge; plaintext HTTP never reaches application code.
  Live
• Secrets management

  All credentials — database connection strings, session-signing secrets, and third-party API keys — are stored in the hosting provider's encrypted secret store and injected into the machine environment at boot. Nothing sensitive is committed to source control.
  Live
• Network egress

  Application makes outbound HTTPS calls only to documented sub-processors (see below). No arbitrary egress is allowed from user-submitted input.
  Live
• Backups

  Fly-managed volume snapshots on the default schedule. Point-in-time recovery is available via provider tooling.
  Live
• Vulnerability scanning

  Dependencies reviewed manually today, with a security audit against the package registry run before each release. Automated daily scans via a continuous-integration job are on the roadmap.
  In progress
• Continuous security monitoring (SIEM)

  Planned. Today we rely on Fly's platform monitoring plus in-app audit logs.
  Planned

• Secure-by-default framework

  Next.js server actions with strict TypeScript. Server-only modules prevent secrets from leaking into the client bundle.
  Live
• Parameterized queries (Prisma)

  All database access uses the Prisma ORM with parameterized queries. Raw SQL is not used in application code.
  Live
• Input validation (Zod)

  Server actions validate input with Zod schemas at the boundary. Shape mismatches throw before touching the database.
  Live
• Output escaping

  React escapes text content by default. User-authored rich content is rendered as text, not as HTML, unless explicitly sanitized (which we don't currently do — see Controls in progress).
  Live
• Continuous integration tests

  Vitest unit test suite (~600 tests) exercises scoring, parsing, tenancy guards, capability checks, and email rendering. Full suite runs on every change.
  Live
• Peer code review

  All substantive changes reviewed before merge. Code review checklist covers the OWASP Top 10 plus tenancy, capability, and PII-handling concerns.
  Live
• Pre-release penetration testing

  Internal red-team exercises against authentication, tenancy, and RBAC. Formal external penetration test scheduled ahead of general availability.
  Planned
• Responsible-disclosure program

  Email-based program with a 90-day coordinated disclosure window (see below). A public bug-bounty program is planned post-audit.
  In progress

AI (via the Anthropic API) powers four features: pipeline-fit scoring, bid-response drafting, counterparty dossiers, and (in the broker workspace) offer parsing and invoice auditing. We treat every LLM call as a third-party processing event and constrain what we send.

• Minimum-necessary inputs

  Each prompt sends only the fields the feature needs — an opportunity summary, a project row, or a supplier email. We do not forward full database exports, user account data, or unrelated customer records.
  Live
• No training on your data

  Anthropic's API terms state that inputs are not used to train their models when accessed through the paid API. We review Anthropic's policy page at each provider change.
  Live
• Structured-JSON outputs

  All LLM responses are parsed with a tolerant schema-validating parser; unexpected shapes fall back to a deterministic result rather than render raw model output to the UI.
  Live
• No hallucinated facts in counterparty dossiers

  The dossier prompt explicitly instructs AI to cite 'unknown' rather than fabricate when public information is not verifiable, and to include a `sources` array an analyst can cross-check.
  Live
• Opt-out

  Organizations can disable AI enrichment; the deterministic heuristic scorer continues to run and no prompts are sent off-platform.
  Planned
• Prompt/response logging

  Today we log metadata (call duration, model version) but not prompts or responses. A scoped, access-controlled prompt-audit log is on the roadmap for customers with stricter governance needs.
  Planned

We keep the sub-processor list deliberately short. Each row below is a documented processor; adding a new processor requires an explicit code change and is announced here before activation.

Our incident response process is in active development. Today we operate the following lightweight runbook; a formal written IRP is targeted for Q3 2026.

• Detect — Fly platform alerts, application error logs, and manual audit-log review. Customer-reported incidents come via security@energysync.ai.
• Triage — severity classification within 4 business hours. Severity 1 (confirmed data exposure) escalates immediately.
• Contain + investigate — rotate impacted credentials, revoke compromised sessions, preserve logs, and identify scope.
• Notify — impacted customers are notified without undue delay, targeting within 72 hours of confirmed material exposure, in line with GDPR Article 33.
• Remediate + postmortem — written postmortem shared with impacted customers and, where appropriate, summarized on this page.

• Database backups

  Automated Fly-managed snapshots of the PostgreSQL volume. Restore verified during each major deployment.
  Live
• Stateless application tier

  Next.js server is stateless; machines can be redeployed from image in minutes without data loss.
  Live
• Documented RTO / RPO targets

  RTO ≤ 4 hours, RPO ≤ 24 hours targeted; formal written DR runbook and annual restore drill scheduled.
  In progress
• Multi-region failover

  Not offered today. Under evaluation for the general-availability release.
  Planned

You have rights over your data. We honor them on request. The following are available today by emailing security@energysync.ai from a verified account or organization admin:

• Access — a machine-readable export of the personal data we hold about you.
• Rectification — corrections to inaccurate or incomplete data. Most fields are self-serve in the Settings UI.
• Erasure — deletion of an individual user or an entire organization workspace. We will confirm completion within 30 days.
• Restriction / objection — pause processing where you have a lawful basis to object.
• Portability — structured JSON export of your organization's workflow data.
• Consent withdrawal — revoke consent for optional processing (e.g., email digests) at any time.

We welcome good-faith security research. If you believe you've found a vulnerability, please email security@energysync.ai with:

• A description of the issue and its impact.
• Steps to reproduce, including any required credentials or URLs.
• Any proof-of-concept artifacts (please minimize real customer data).
• Your preferred attribution and contact method.

We commit to:

• Acknowledging receipt within 2 business days.
• Triage within 5 business days.
• Keeping you informed of remediation progress under a 90-day coordinated disclosure window.
• Not pursuing legal action against good-faith researchers.

The following controls are on the roadmap but are not yet in place. We publish them here so prospective customers and auditors can see the state of the program without asking.

• SOC 2 Type II attestation

  Policy suite, evidence collection, and auditor selection underway.

  Observation window start: 2026 Q3.

• End-user MFA

  TOTP for all users; WebAuthn for admins.

  Ship: 2026 Q2.

• Single Sign-On (SAML / OIDC)

  Okta, Google Workspace, and Entra ID.

  Ship: 2026 Q3.

• Automated dependency vulnerability scanning

  Daily dependency audits and code-security signal integrated into continuous integration.

  Ship: 2026 Q2.

• External penetration test

  Scoped test against authentication, tenancy, and RBAC.

  Schedule: 2026 Q3.

• Formal incident response plan + DR runbook

  Written IRP with severity tables and contact tree; annual restore drill.

  Publish: 2026 Q3.

• Customer-facing audit-log export

  Organization admins can export their audit-log history as CSV.

  Ship: 2026 Q3.

• Self-serve data export UI

  One-click JSON export of workspace records.

  Ship: 2026 Q3.

• DPA template + Article 30 records

  Standard Data Processing Addendum and internal records of processing.

  Publish: 2026 Q2.

• Multi-region + EU data residency

  Optional EU-resident deployment for customers with data-localization needs.

  GA dependent.