Security & privacy

Your factories, styles, and
lab reports stay yours.

Factory Sync handles the most sensitive data in your supply chain — pricing-adjacent production detail, supplier relationships, and compliance documents. It's built so that information never leaks between tenants, never trains an AI model, and never leaves an auditable trail.

Strict tenant isolation

A factory account can only ever see its own data. Scoping is applied on the server from a verified session — the browser never decides what a user may read.

Server-enforced access

Every page and API route checks role and tenant on the edge before responding. A forged request can't bypass the rules that protect another tenant's data.

Private, presigned storage

Report PDFs upload straight to a private bucket through short-lived presigned links. The file bytes never stream through or rest on the application.

Zero-retention AI

Report analysis runs with data retention switched off. Prompts and PDFs are never logged by the AI gateway and are never used to train any model.

Need-to-know fields

Internal notes, your CPSC point of contact, and broker assignments are marked internal-only and are never rendered to factory users.

Complete audit trail

Edits, reviews, rejections, approvals, and CPSC sync events are all recorded — so every change has a who, what, and when.

How tenant isolation works

A factory can't query data that isn't theirs — by construction.

When a factory user loads production or saves an edit, the server reads their factory identity from the tamper-proof session and force-scopes the query to it. Any attempt to touch another tenant's row is rejected outright.

Identity comes from the session, not from anything the client can set or spoof.
Factory IDs are opaque UUIDs, never a readable supplier name — so another tenant's ID can't be guessed.
Cross-tenant writes return 403 at the database boundary, every time.

tenant-isolation.ts

// Enforced on the SERVER, from the verified session —
// never trusting a factory_id passed by the browser.
const { factoryId } = await getVerifiedSession();

if (factoryId) {
  // Reads are auto-scoped to this tenant only
  return db.select().where(
    eq(production.factoryId, factoryId),
  );
}

// And every write is checked at the boundary
if (row.factoryId !== factoryId) {
  return Response.json(
    { error: "Forbidden" },
    { status: 403 },
  );
}

AI, handled responsibly

Your reports are analyzed — then forgotten.

The AI reviewer exists to protect you, not to harvest your data. It reads a report, returns a verdict, and retains nothing.

No retention, no training. Prompts and PDFs aren't logged by the gateway and never feed model training.
Hardened against prompt injection. A report is treated strictly as evidence; instructions hidden inside a PDF are ignored.
Transparent verdicts stored with the model name and timestamp for your records.

How the reviewer works

Built on the edge

The app, database, file storage, queues, and the eFiling worker all run on a global edge network — with secrets managed in the platform, never in code.

Least-privilege brokers

A freight broker sees only the approved shipments explicitly assigned to them — and only to export. Nothing else in your account is visible.

Straight answers

Security FAQ

No. Every read is force-scoped to the signed-in factory's identity on the server, and every write is checked against it. Because factory identities are opaque UUIDs rather than readable supplier names, there's nothing to guess or tamper with.

No. The AI reviewer runs with zero data retention — your prompts and PDFs are not logged by the gateway and are never used for model training. Documents are analyzed to produce a verdict and then discarded.

Report PDFs live in a private object-storage bucket. Uploads and views happen through short-lived presigned links, so the files never pass through or rest on the application server itself.

Production edits, shipment changes, internal reviews, rejections, approvals, and every CPSC sync event are logged — giving you a complete, attributable history of what happened and when.

Only internal reviewer roles (admin and production) can approve and transmit, and only after explicitly confirming the CPSC attestation. Factories and brokers can never file on your behalf.

See it on your own data

Turn weeks of compliance work into minutes.

Book a walkthrough and we’ll map Factory Sync to your import file, factories, and CPSC account.

Book a demo Contact sales

No rip-and-replace · Works with your current production file · Live in days

Your factories, styles, andlab reports stay yours.