PRIZM Trust
Security
PRIZM is in alpha. This page describes controls that are active in the product today and controls that must be verified before a production launch.
Active Controls
- Authenticated application routes use Supabase-backed server checks.
- Structured error responses for support diagnostics.
- Uploads are encrypted in transit and at rest.
- Provider and Ops Dashboard data is fetched server-side, not from the browser.
- Security headers and CSP are configured in the Next.js deployment.
Planned Controls
- Formal SOC 2 evidence export and monthly access review.
- Step-up authentication before showing sensitive provider dashboard data.
- Production incident response drills and provider outage rehearsals.
- Published vulnerability acknowledgments after disclosure handling is staffed.
Disclosure
Report vulnerabilities to security@pdftoexcelstatementconverter.com. Do not include live bank statements, credentials, or regulated customer data in the initial report.