Private by default
Buyer workspaces are designed so signed-in buyers only access their own records.
The product is early, but the security posture is already centered on private workspaces, row-level access rules, and buyer-approved sharing rather than open professional visibility.
Buyer workspaces are designed so signed-in buyers only access their own records.
Share packages expose selected documents, permissions, expiration, and revocation state.
Supabase policies are used to restrict workspace, document, checklist, share, and audit records.
Document storage is scoped by workspace so files can be protected by owner-aware policies.
Document uploads, replacements, share creation, and revocation are recorded for buyer visibility.
MFA, deeper file scanning, signed URLs, and production security review remain important pre-launch work.