Security

Built for production.

Tempo uses production-oriented security patterns. Claim access is API-gated, validated, and audited at every layer.

Authentication & Authorization

  • JWT-based session tokens via NextAuth on protected app routes
  • Staff workspace access restricted to manager and adjuster roles
  • Vendor sessions fail closed until tenant-scoped claim invitations are configured
  • Protected API routes verify authentication before processing
  • Legacy shared-password fallback is disabled in production unless explicitly opted in

Data Isolation

  • Supabase Row-Level Security (RLS) enabled and direct public table access locked down
  • Notifications scoped to individual users (auth.uid())
  • Audit trail restricted to manager role
  • Service role key used for admin operations only

Input Validation

  • Zod schemas on all write operations (create, update, delete)
  • Field whitelisting prevents mass-assignment attacks
  • Status transition state machine prevents invalid claim changes
  • Search inputs capped at 100 characters to prevent query abuse

Rate Limiting & Protection

  • IP-based rate limiting on public AI and live-operator endpoints
  • Message length caps on user input (2,000 characters)
  • Webhook authentication required in production
  • Cron route authentication via CRON_SECRET header

Audit & Observability

  • Every state change logged to audit_log table
  • AI token usage tracked per call with cost estimates
  • Vercel Web Analytics mounted globally for privacy-friendly pageview telemetry
  • Vercel Speed Insights measures field performance and web vitals
  • Claim Rescue funnel events are stored first-party without claim or claimant data
  • Claim events provide full activity timeline
  • Automation rule execution logged in activity feed

AI Security

  • AI API calls use structured JSON output with validation
  • Tool call inputs whitelisted (only permitted fields can be updated)
  • AI responses validated via safeParseJSON before database writes
  • Untrusted text (operator goals, public intake descriptions) is delimited as data in agent prompts to resist prompt injection
  • Global daily LLM spend cap (HTTP 429 past the budget) backstops the public demo endpoints
  • Non-critical AI calls are non-blocking (failures don't break workflows)

Infrastructure

  • Deployed on Vercel (SOC 2 Type II compliant)
  • Database on Supabase (SOC 2 Type II, ISO 27001)
  • HTTPS enforced on all endpoints
  • Security headers set globally: CSP, frame blocking, nosniff, referrer policy, permissions policy
  • Environment variables managed via Vercel (never in code)

A note on demo posture

The public Claim Rescue path uses a reviewed synthetic scenario held only in the browser. It does not issue a shared login or write to a production claim. Explicit staff persona logins remain available for the broader product tour; those personas share one synthetic dataset and do not represent tenant isolation. A customer deployment would scope claims by tenant with RLS, use SSO-backed user accounts, and place intake behind the carrier's identity layer.

Vercel and Supabase maintain their own compliance certifications. Tempo inherits their infrastructure security.
For questions about our security practices, contact the team.