EcoService Pro — Security & Compliance Audit
Owner: EcoPowerHub AI LLC · Columbia, MD, USA Last updated: July 14, 2026 Status: Phase 2 (Governance) in progress
This document is the single entry point for auditors, prospects, and the internal security team. It links to the live policies, risk register, and vendor assessments that make up our compliance program.
1. Technical safeguards (Phase 1 — complete)
| Control | Evidence |
| --- | --- |
| Row-Level Security on all tenant tables | supabase/tests/roles_and_rls.sql (CI-enforced) |
| Strong-password + HIBP leaked-password check | Supabase Auth config |
| MFA (TOTP) available to all users | /team → Security tab |
| Comprehensive audit logging | audit_logs table, src/lib/audit.server.ts |
| Encryption at rest & in transit | Supabase (AES-256 at rest, TLS 1.2+ in transit) |
| Input validation (Zod) on every server fn | src/lib/*.functions.ts |
| Rate limiting on public endpoints | rate_limit_buckets + middleware |
| Security event dashboard | /security (owners only) |
2. Governance policies (Phase 2)
All policies are version-controlled and reviewed annually. Drafts were co-authored with our internal ComplianceGuard AI reviewer and approved by the CEO.
3. Risk management
- Risk Register — 12 tracked risks with likelihood, impact, owner, and mitigation status.
4. Vendor / sub-processor risk
- Vendor Risk Assessment Template
- Completed vendor assessments — Supabase, Stripe, Cloudflare, Lovable AI Gateway, PostHog, Sentry, Resend, DFINITY (IC).
5. Legal & user-facing
6. Contact
Security disclosures & compliance questions: engmartin@ecopowerhub.ai
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.