⚙ ISO 27001-Aligned
Information Security Controls
WorkDecisions AI operates under an information security framework aligned with ISO/IEC 27001 principles. Our controls cover data governance, access management, encryption, audit logging, incident response, and third-party risk management. This document describes those controls and their operational status.
Important note on certification: WorkDecisions AI operates ISO 27001-aligned governance controls. We are not currently ISO 27001 certified by an accredited certification body. All controls described below are implemented and active. Formal certification is planned as part of our enterprise client roadmap. We do not misrepresent our certification status — this is a deliberate choice to be transparent with clients.
🔐 Access Control & Identity Management
Live Email + Phone OTP two-factor authentication on all client portal access
Live JWT tokens in HttpOnly cookies — no client-side token exposure
Live Row-Level Security (RLS) enforced at database layer — cross-tenant access architecturally blocked
Live All API secrets stored in Frankfurt edge function environment only — never in application code
Live Principle of least privilege: each agent and function has access only to its required scope
Planned Annual access review and privilege audit — scheduled Q4 2026
🔒 Cryptography & Encryption
- All data at rest encrypted using AES-256 via Supabase managed encryption (PostgreSQL transparent data encryption).
- All data in transit protected by TLS 1.2 minimum (TLS 1.3 preferred). No unencrypted connections accepted.
- All client-facing domains enforce HTTPS with HSTS headers. SSL certificates auto-renewed.
- PII fields in the database are additionally encrypted at the application layer before storage.
- API keys and secrets never stored in source code, environment files, or third-party credential vaults.
📊 Audit Logging & Monitoring
All significant system events are written to our audit_log table in Frankfurt with immutable records. This supports compliance reporting, incident investigation, and client audit rights.
Control A.12.4
Event Logging
Every authentication event, data access, clone operation, and compliance action logged with timestamp, actor ID, IP address, and outcome.
Control A.12.4
Log Integrity
Audit logs are append-only. No application-layer delete permissions exist on audit_log. Retention: 7 years for compliance events, 90 days for operational logs.
Control A.16.1
Incident Detection
Automated monitoring on Frankfurt edge functions. Anomalous patterns flagged to CEO (Glen Allison) via SMS within 15 minutes.
Control A.18.1
Compliance Logging
Separate compliance_event_log table tracks GDPR-relevant processing events for DPA obligations and potential regulatory inquiry.
🏗️ Infrastructure Security
- Primary database: Supabase Frankfurt (eu-central-1) — ISO 27001 certified infrastructure provider. No data written to non-EU primary instance.
- AI compute: RunPod Switzerland — GDPR-adequate jurisdiction (Article 45). Docker containers with isolated execution environments per client.
- Static hosting: Netlify global CDN — static assets only. No client personal data on CDN nodes.
- Network segmentation: Edge functions run in isolated V8 contexts. No shared memory between tenants.
- Dependency management: All infrastructure dependencies (n8n, Supabase, RunPod) reviewed quarterly. No known-vulnerable packages in production.
European Data Centres
| System |
Location |
Purpose |
| Supabase (PostgreSQL + pgvector) |
Frankfurt, Germany |
Primary database for WorkDecisions AI — GDPR sovereign |
| Clone Data / Backups |
Frankfurt / Munich |
GDPR-compliant, SOC 2-aligned, ISO 27001-aligned |
🤝 Third-Party Risk Management
All sub-processors are assessed prior to integration. Assessment criteria include: data residency, certification status, breach history, DPA availability, and contractual exit rights.
Sub-processor list maintained and reviewed quarterly. See GDPR page for full sub-processor disclosure including HeyGen and ElevenLabs US processing disclosure.
🚨 Incident Response
- Detection: Automated monitoring via audit_log anomaly detection. CEO notified by SMS within 15 minutes of detection.
- Containment: Affected edge functions can be disabled within 5 minutes via Frankfurt console. Database access can be revoked at row level without full system downtime.
- Notification: Data breach notification to supervisory authority within 72 hours (GDPR Article 33). Affected clients notified without undue delay where high risk exists.
- Post-incident: Root cause analysis documented in audit_log. Fix verified and documented before incident is closed.
👥 People & Security Awareness
- All agents operating within the WorkDecisions AI swarm operate under documented security protocols reviewed at the start of each session.
- No agent is granted raw secret values. All secrets are retrieved at runtime via the Frankfurt get-secret function — agents access names, not values.
- All external-facing communications reviewed by the CEO prior to send.
- Background checks performed on all personnel with access to client data.
Last updated: May 2026. Controls reviewed following any material infrastructure change and on a quarterly schedule. Questions: glen@workdecisionsai.com