Security Overview
Conduit is building toward SOC 2 Type I readiness. As governance infrastructure for MLS AI data access, security is foundational to every layer of the platform — from the Cloudflare Workers proxy edge to Supabase row-level security policies.
This section documents our current security posture, controls, policies, and procedures. We believe in honest disclosure: where controls are strong we say so, and where improvements are planned we disclose that too.
Security documentation
Security Controls
Authentication, transport security, rate limiting, field-level access, audit trails, anti-training safeguards, and database security.
Data Handling Policy
Data classification, encryption standards, retention policies, third-party processors, and known improvement areas.
Incident Response Plan
Severity levels, immediate response procedures, kill switch operation, communication protocols, and post-incident review.
Access Control Matrix
Role-based permissions across all platform resources with enforcement mechanisms at every layer.
Trust Scoring
Automated security scanning across 5 dimensions with 13 finding categories and severity-graded results.
Data Governance
MLS-defined field-level policies, vendor access controls, and policy enforcement at the proxy edge.
Certificates
Compliance certificates with cryptographic verification and public audit trail.
Security principles
Zero data retention — Conduit never stores MLS listing data. Property records transit through the proxy and are never cached or persisted.
MLS sovereignty — Every governance policy is defined and owned by the MLS. Conduit enforces but never overrides MLS decisions.
Defense in depth — Authentication, authorization, rate limiting, field filtering, and audit logging operate as independent layers. No single bypass compromises the system.
Honest disclosure — We document known limitations alongside strengths. Security through obscurity is not security.