Roundtable mark
Crucible
Legal

Security & Trust Center

Crucible is purpose-built for defensible decision-making. Here's how we protect your data and maintain governance-grade trust.

Last updated December 30, 2025Previous version December 11, 2025

Infrastructure Security

Our multi-layered infrastructure security includes:

  • Frontend Hosting: Vercel with automatic SSL/TLS encryption and DDoS protection.
  • Backend Hosting: Railway with isolated containers and network segmentation.
  • Database: Supabase PostgreSQL with encrypted connections and automated backups.
  • Caching: Upstash Redis with encrypted data in transit and at rest.
  • Object Storage: AWS S3-compatible storage with server-side encryption (AES-256) for artifacts.
  • CDN & DNS: Cloudflare for DDoS protection, rate limiting, and global content delivery.
  • All data at rest encrypted with AES-256. TLS 1.2+ enforced for all data in transit.
  • Production access gated by OAuth authentication, access verification, and least-privilege IAM policies.

Application Security

Application-level security measures protect your data and sessions:

  • Session Ownership Verification: All session access is verified through automatic ownership checks. Users can only access their own sessions; unauthorized access attempts return 403 Forbidden and are logged for security monitoring.
  • Comprehensive Audit Logging: All sensitive data access is logged, including session reads, deletions, and exports. Audit logs capture user ID, resource type, action, IP address, user agent, and timestamp. Logs are retained for compliance and security investigations.
  • Automated request throttling and anomaly detection to mitigate abuse and prevent DDoS attacks.
  • Independent prompt namespaces per tenant; strict isolation prevents cross-customer prompt injection.
  • Input sanitization: All user inputs are sanitized to prevent prompt injection, PII exposure, and malicious code.
  • Content moderation: Real-time content filtering using OpenAI Moderation API to block harmful, toxic, or illegal content.
  • PII detection and redaction: Automatic detection and redaction of personally identifiable information (email addresses, phone numbers, credit card numbers, SSN, IP addresses) before AI processing.
  • Session isolation: Each user's sessions are completely isolated with strict access controls enforced at the application level.
  • API rate limiting: Per-user and per-IP rate limits prevent abuse and ensure fair usage.

AI-Specific Security

Given Crucible's AI-powered nature, we implement specialized security measures:

  • Prompt Injection Detection: Advanced pattern matching and heuristics to detect and block prompt injection, jailbreaking, and adversarial attack attempts.
  • Safety Gates: Multi-layer quality gates that check for PII, toxic content, and prompt injection before and during debate generation.
  • Output Validation: AI-generated outputs are validated for safety, accuracy, and compliance before delivery.
  • Model Provider Security: We use reputable AI providers (OpenAI, Anthropic, Google) with their own security measures and no-training commitments.
  • Adversarial Input Protection: Detection and blocking of inputs designed to manipulate or exploit the AI system.
  • Citation Verification: Automated checks to ensure citations and claims are properly sourced and verifiable.

Data Protection

We protect your data throughout its lifecycle:

  • Encryption: All sensitive data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access Controls: Role-based access control (RBAC) with principle of least privilege for all system access. Session ownership is automatically verified before any data access.
  • Data Minimization: We collect and process only the data necessary to provide the service.
  • PII Redaction: Personal information (email addresses, phone numbers, credit card numbers, SSN, IP addresses) is automatically detected and redacted before AI processing.
  • Data Retention: Professional accounts retain session history for 24 months by default. Users can configure artifact retention settings in their account settings. When artifact retention is disabled, session events are automatically purged after 30 days. All retention policies respect user preferences and can be customized.
  • Backup Security: Regular encrypted backups with secure key management.
  • Data Deletion: Secure deletion of data upon request or account termination. Deleted data may remain in backups for up to 30 days before permanent erasure.

Compliance & Trust

We maintain security and compliance through:

  • Privacy Compliance: Adherence to Australian Privacy Principles (Privacy Act 1988) and GDPR standards.
  • Data Residency: Currently, our infrastructure is primarily located in the United States. Enterprise customers can request model restrictions (e.g., disabling DeepSeek for China data residency concerns). Data residency controls for US/EU-specific deployments are planned for future releases. Contact security@roundtablelabs.ai for current options.
  • Security Assessments: Regular internal security reviews and automated vulnerability scanning. External penetration testing is conducted as needed based on risk assessment and customer requirements.
  • Incident Response: Documented incident response procedures for security events and data breaches.
  • Subprocessor Management: All subprocessors are contractually bound to maintain appropriate security standards.
  • Transparency: Regular updates to this Security & Trust Center and subprocessor list.
  • Audit Logging: Comprehensive audit trails capture all sensitive data access (session reads, deletions, exports) with user ID, IP address, user agent, and timestamp. Audit logs are retained for compliance and security investigations.

Security Resources

Need more details on our security posture or a copy of our subprocessor list? Contact security@roundtablelabs.ai. We aim to respond within 2 business days.