Security Policy

How we protect website submissions, BRD planning, and AI workflows.

A practical view of the public website controls: verified intake, no uploads, reference URL scanning, token limits, AI context boundaries, and human review for sensitive cases.

Last updated

July 2026

This policy covers the public website. Internal SOW, commercial, delivery, and support tools are governed separately.

Short version

The website is designed for public discovery and secure BRD intake. It blocks sensitive/internal routes, limits AI spend and abuse, accepts reference links instead of uploads, scans those links before model use, and routes security or manual-review cases to staff.

Security posture

AorBorC treats the website as a public intake and planning system, not as a place to expose internal estimates, SOWs, commercials, credentials, or private delivery tools.

The public flow is intentionally limited to Planning/BRD. Internal SOW, commercial, delivery, and support tooling live outside this public website project.

Scheduled jobs require server-side secrets, production HMAC flows fail closed when secrets are missing, and admin APIs check the relevant admin module before sensitive operations.

Public pages are built to be crawlable by search engines and AI assistants, while admin, auth, API, lab, and token-gated generated-document routes are blocked or noindexed.

Identity and abuse controls

The AI-Assisted Project Planner verifies a work email with OTP before generating a BRD.

Cloudflare Turnstile is used to reduce bot abuse before sensitive actions.

The planner keeps the existing quota model: per-IP/day limits, per-email limits, 30-day token budget controls, global spend ceiling, public/private AI buckets, and internal-email exemptions where configured.

Reference URL handling

The public website does not accept file uploads. Users may provide up to three HTTPS reference URLs.

Reference URLs are capped, redirected safely, checked against private/local IP ranges, MIME-filtered, scanned, and excluded from model context unless clean.

Malicious or unsafe references are flagged, excluded from AI context, queued for manual review, and prepared for public threat reporting without customer PII.

AI safety and token efficiency

AorBorC uses AI to draft BRDs, identify gaps, prepare UAT thinking, and support documentation. Humans remain accountable for delivery, security, and commercial decisions.

Stable company, process, service, security, and BRD schema context may be cached with the AI provider to reduce repeated token spend.

Customer-specific intake, private reference text, and revision notes stay outside reusable cached context blocks.

Data storage and access

BRD requests, reference URL security results, quota events, and manual-review status are stored in Supabase-managed Postgres.

Admin access is restricted to authenticated AorBorC staff and service-role operations. Public users cannot browse BRD records.

Sanitized CMS HTML must not include inline styles. Visual treatment belongs in CSS classes and theme tokens.

Manual review and Zoho Desk

Security review, model timeout, token exhaustion, post-approval revision, and approved BRD follow-up cases are routed to manual review.

When Zoho Desk is connected with the required ticket scope, the website creates Desk tickets and stores the ticket status on the BRD request.

If Desk is unavailable, the request remains marked for manual review with an admin-visible error.

What we do not expose publicly

The public site does not generate customer-facing SOWs, commercials, estimates, proposal decks, payment schedules, or quote PDFs.

The public site does not publish admin routes, internal documentation, per-customer generated documents, or lab experiments through sitemap or AI discovery files.

We do not expose public email addresses on marketing pages. Security and privacy enquiries should use the contact form.

Report a vulnerability

Submit vulnerability reports through /contact and include "Security" in the subject or message.

Include the affected URL, a clear reproduction path, expected impact, and whether any data was accessed. Do not include customer PII or exploit beyond what is needed to demonstrate the issue.

We review genuine security reports promptly and may follow up through Zoho Desk or email if more detail is needed.

Related policies

Security controls work alongside the Privacy Policy and Terms of Service.