Skip to main content
SevrelDocumentation
← Back to App
Documentation menu

Security & Compliance

A comprehensive overview of how Sevrel protects your organization's data across every layer — from AI inference to document access to audit compliance.

Architecture Overview

Sevrel uses a hybrid deployment model designed for enterprise CRE organizations that handle sensitive financial and legal documents:

Web Application & API

Hosted on managed infrastructure with automated scaling, monitoring, and redundancy. Serves the frontend application and handles API requests. All traffic is encrypted via TLS and routed through Cloudflare for DDoS protection and edge caching.

AI Inference (Enterprise AI Provider)

Sevrel uses an enterprise AI provider with tiered model routing (fast, standard, and deep tiers). Data is transmitted over encrypted TLS connections. Our AI provider does not use Sevrel customer data to train its models, and prompts are not retained by the provider beyond the transient processing window.

Document Storage (Egnyte)

Documents remain in your Egnyte account. Sevrel accesses them read-only via Egnyte's API with per-organization OAuth credentials. No files are copied or cached outside of Egnyte.

Data Encryption

In Transit

  • TLS 1.2+ on all connections
  • HSTS enabled (max-age 1 year, includeSubDomains, preload)
  • Cloudflare edge encryption
  • TLS-encrypted requests to the AI provider

At Rest

  • Encrypted database storage
  • OAuth tokens encrypted with symmetric key
  • Session cookies: HttpOnly, Secure, SameSite=Lax
  • No secrets in source code or frontend bundles

Tenant Data Isolation

Multi-tenant isolation is enforced at every layer:

  • Database: Every query is scoped by organization ID. PostgreSQL Row-Level Security (RLS) policies enforce isolation at the database level across 10 core tables — defense-in-depth that prevents cross-tenant data access even if application logic is bypassed.
  • Egnyte: Each organization has its own OAuth credentials and document scope. Users can only access their organization's files.
  • AI Context: AI prompts contain only the requesting user's organization documents. No cross-tenant data enters the model context window.
  • Sessions: Authentication tokens are scoped to individual users within an organization.

Authentication & Access Control

  • Microsoft Entra ID: All authentication is delegated to your organization's identity provider. Sevrel does not store or manage passwords.
  • Invitation-only: No self-registration. Users must be invited by an organization administrator.
  • RBAC: Three roles — viewer, member, admin — enforced on every API endpoint. Privileged operations require explicit admin authorization.
  • Rate Limiting: Per-IP limits on authentication routes and per-user limits on AI query routes prevent abuse.
  • Account Lockout: After 5 failed login attempts, accounts are locked for 15 minutes. Password complexity requirements are enforced.
  • Session Management: View active sessions with IP address and device information. Revoke individual sessions or all sessions at once.

Audit Logging

An append-only audit log captures every significant action with full traceability:

Event TypeCaptured Data
AuthenticationLogin success/failure, user ID, IP address, timestamp
AI QueriesUser, query type, documents accessed, correlation ID
Admin ActionsRole changes, user invites/deactivations, settings changes
Document AccessFiles retrieved, download requests, integration events

Every request receives a unique correlation ID, enabling end-to-end traceability from browser to AI response and back.

Security Headers & Browser Protection

  • X-Frame-Options: DENY — prevents clickjacking
  • X-Content-Type-Options: nosniff — prevents MIME sniffing
  • Content-Security-Policy — restricts script, style, and connection sources
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy — disables camera, geolocation, payment APIs

Responsible AI Practices

Sevrel is designed with safeguards to ensure AI outputs are reliable and verifiable:

  • Grounded responses: All answers are based on retrieved documents, not pre-trained knowledge. This dramatically reduces hallucination.
  • Source citations: Every factual claim cites a specific source document so users can verify.
  • No training on your data: Your documents and queries are not used to train or fine-tune AI models.
  • Disclaimer: AI outputs are provided as decision-support tools, not legal or financial advice. Users are encouraged to verify important figures.

Compliance Roadmap

Sevrel is architected with compliance readiness in mind:

  • SOC 2 Type II: Sevrel's architecture is designed for SOC 2 readiness, with audit logging, access controls, encryption, and change management processes in place. Formal certification is on the roadmap.
  • Data residency: Application data is stored in managed PostgreSQL. AI inference requests go to our enterprise AI provider over TLS; customer data is not used for model training.
  • Data retention: Configurable retention policies for conversations, audit logs, and cached data.

Note

Compliance certifications are in progress. For specific compliance requirements, contact support@sevrel.com to discuss your organization's needs.

Next Steps

Last updated: March 17, 2026