Trust dossier · v1.0 · May 2026

PARIE Security & Compliance Posture.

An honest, structured snapshot of how PARIE handles customer data, what controls are in place today, what is in flight, and what the roadmap looks like for the rest of 2026. Designed to be the first answer to your security questionnaire.

Prepared by PARIE · Contact hello@parie.io

Contents

  1. Executive summary
  2. What data PARIE handles
  3. Architecture & isolation
  4. Access control & identity
  5. Encryption & key management
  6. Logging, monitoring & audit
  7. Availability & resilience
  8. Subprocessors
  9. Privacy & data subject rights
  10. Certifications & roadmap
  11. Incident response
  12. Vulnerability management
  13. How to escalate

1. Executive summary.

PARIE is a multi-tenant SaaS that delivers AI-grounded guidance and training inside enterprise web applications (Oracle, SAP, Salesforce, Workday, NetSuite, Dynamics, EPM tools, banking platforms). It runs on Google Cloud (Firebase) with Anthropic Claude as the inference layer. Founded in 2025; USPTO patent application #64/014,523 covers the underlying ensemble-reasoning method.

The product is in a phase commonly described as "design-partner stage" — operational systems are live, the architecture has been built deliberately for the multi-tenant security model that SOC 2 Type I requires, and 148+ automated tests run on every release. SOC 2 Type I certification is on track for Q4 2026. This document tells you exactly what is and isn't true today, in plain language, with no marketing.

What you can rely on today: multi-tenant rule-layer isolation, encryption at rest and in transit, append-only audit logs, brute-force lockout, forced-password-change on suspicious login, GDPR/CCPA-aligned data handling, a real DPA, a public subprocessor list, a real privacy policy, and the legal terms of a B2B SaaS (Delaware governing law, JAMS arbitration, capped liability).

What is on a customer-driven roadmap (not yet attested): SOC 2 Type I third-party audit, HIPAA BAA execution with upstream subprocessors, third-party penetration test, EU/APAC data residency. PARIE has self-collected evidence and template documents ready for each — these are engaged when a customer's procurement gate requires them. Until then, PARIE relies on its in-house tooling and the security architecture documented below.

2. What data PARIE handles.

The principle: collect the minimum we need to deliver the service, store it where the customer chose, and never train models on customer content.

Data categorySourceStored whereRetention
Account data (email, name, role, tenant ID)Customer admin or self-signupFirestore (Google Cloud, US default)Lifetime of account + 30 days post-deletion
Authentication credentials (Firebase Auth tokens, hashed passwords)Sign-in flowFirebase Auth (Google-managed)Until rotation / account deletion
Knowledge-base documents (policies, SOPs that the customer chooses to upload)Customer admin uploadFirebase Storage; metadata in FirestoreLifetime of account; customer can delete anytime
AI prompts & responses (the questions users ask + Claude's answer)End-user copilot interactionAnthropic API (no retention per Anthropic API terms); audit log entry in Firestore (prompt-truncated, response not stored by default)30 days for audit log; 0 days at Anthropic
Page-context labels (UI labels — button text, headings, breadcrumbs from the active tab)Chrome extension content scriptSent to Anthropic with the prompt; not persisted0 days
Usage metrics (call count, token count, feature, latency, tier)claudeProxy Cloud FunctionFirestore usage/ + usageLog/13 months (rolling)
Audit log (admin actions, login events, privilege changes)Server-side handlersFirestore adminLogs/ (append-only)Indefinite (immutable)

What PARIE explicitly does not read

3. Architecture & isolation.

PARIE is built on Google Cloud (Firebase + Cloud Functions + Cloud Storage). Every customer is isolated at the rule layer, not just the application layer — meaning a misbehaving client request that escapes our application code still cannot read another tenant's data, because Firestore Security Rules enforce isolation at the storage layer itself.

Database
Firestore (Google Cloud Datastore). Customer data lives under /clients/{tenantId}/... with rules that require request.auth.token.tenantId == tenantId for every read/write.
File storage
Firebase Storage with cross-service rules that read user → tenant mapping from Firestore before allowing access.
Compute
Cloud Functions (Node.js 22, gen-1) for AI proxy, auth flows, admin operations. Anthropic API key never reaches the client; held in Google Secret Manager.
Hosting
Firebase Hosting (CDN-fronted, TLS 1.2+, HSTS).
AI inference
Anthropic Claude API. Calls go server-side from claudeProxy Cloud Function only — no client-side direct calls. Tier-gating, monthly caps, and rate limits enforced server-side before the upstream call.
Auth
Firebase Authentication. Email/password with optional SSO (SAML for Enterprise tier, on roadmap).

Multi-tenant boundary tests

Every release runs a security test suite that tries to: read another tenant's documents, write to another tenant's audit log, escalate privilege via direct Firestore writes, and bypass tier-gating. All must fail. The CI pipeline rejects any PR that breaks isolation.

4. Access control & identity.

End-user auth
Firebase Authentication (email + password, password reset via custom-SMTP transactional email). Passwords hashed with Firebase's standard scrypt-based scheme.
Brute-force protection
5 failed login attempts → 15-minute lockout. Lockout state stored in failedLogins/{emailKey} with rolling attempts array.
Forced password change
If an admin marks an account compromised, mustChangePassword flag forces a reset on next login.
Role model
Five roles: staff, manager, hr_admin, client_admin, super_admin. Role-creation matrix enforces who can create whom (a manager cannot create an admin; an HR admin cannot create a super admin; etc.).
Privileged access (PARIE staff)
Firebase Admin Console access is limited to the founder's account. All privileged actions on customer data require an adminLogs entry; logs are immutable and queryable on customer request.
Single sign-on (SSO)
SAML/OIDC available on Enterprise tier — implementation per-customer, scoped into the contract.
MFA
Available via Firebase Authentication; rolled out per tenant on Enterprise tier; optional on Pro.

5. Encryption & key management.

In transit
TLS 1.2 minimum, TLS 1.3 default. HSTS enforced on parie.io and *.web.app. All Cloud Function endpoints require HTTPS.
At rest
Google Cloud's default encryption — AES-256, customer data encrypted on disk by Google before being written to physical storage.
Application secrets
Anthropic API key, Postmark API key, and any other long-lived secrets are stored in Google Secret Manager. Never committed to source. Cloud Functions request them at runtime via the secrets: binding.
Customer-managed keys (CMK)
Available on request for Enterprise tier — adds Cloud KMS to the Firestore + Storage encryption path. Adds ~1 week of provisioning per tenant.

6. Logging, monitoring & audit.

Audit log scope
Every privileged operation (user creation, role change, document upload, document deletion, signup approval, super-admin access) writes an entry to Firestore adminLogs/ or per-tenant clients/{id}/auditLog/.
Immutability
Firestore Security Rules forbid update and delete on audit-log collections — only create is allowed, and the create rule requires the actor's UID match the entry's uid field. A successful audit-log entry cannot be retroactively altered, even by a super admin.
System logs
Google Cloud Logging captures all Cloud Function invocations, errors, and security events. Standard 30-day retention; longer retention available via Log Sinks to BigQuery.
Customer access
Tenant admins see their tenant's audit log in the admin portal. PARIE provides full audit-log export on request within 5 business days.
Anomaly detection
Failed-login telemetry, rate-limit triggers, and unknown-feature warnings surface in Cloud Logging. Alert routing to PagerDuty/Slack on Enterprise tier (in motion, Q3 2026).

7. Availability & resilience.

Targeted SLA
99.9% monthly uptime on parie.io and the claudeProxy endpoint. Service credits per the Master Subscription Agreement (10% credit for <99.9%, 25% for <99.0%).
Underlying infrastructure
Firebase Hosting and Firestore are backed by Google Cloud's native multi-region replication. Cloud Functions in us-central1 with auto-failover within the region.
Status page
Public status at status.parie.io with real-time uptime monitors on hosting, Cloud Functions, Firestore, and Anthropic upstream.
Backups
Daily Firestore backups via the dailyFirestoreBackup Cloud Function, exported to a GCS bucket with 90-day retention. Restoration tested quarterly.
RPO / RTO
RPO = 24 hours (daily backup). RTO = 4 hours (Firestore restore + Cloud Function redeploy). Tighter targets available on Enterprise SLA addendum.
Disaster recovery
Documented runbook for region failover. Tested annually. Customer notified within 1 hour of detection of any incident affecting availability.

8. Subprocessors.

The complete, current list lives at parie.io/subprocessors. New subprocessors are announced 30 days in advance and customers may object per DPA §4.2.

SubprocessorPurposeData exposedCertifications
Google Cloud / FirebaseHosting, database, auth, storage, functionsAll customer data (encrypted)SOC 2, ISO 27001, ISO 27018, FedRAMP High
Anthropic PBCLLM inferencePrompts + page UI labels per call (no retention)SOC 2 Type II, HIPAA-capable under BAA
StripeSubscription billingBilling metadata only; no card data on PARIEPCI DSS L1, SOC 1, SOC 2
PostmarkTransactional emailEmail addresses + content of system emailsSOC 2 Type II
NamecheapDomain + DNSPublic DNS records onlyDomain registrar
GitHubSource controlPARIE source code (no customer data)SOC 2, ISO 27001, FedRAMP

9. Privacy & data subject rights.

Privacy policy
parie.io/privacy — GDPR + CCPA aligned, includes legal-basis table, retention schedule, rights enumeration, and contact paths.
DPA
Standard Data Processing Addendum referenced in §13 of the Master Subscription Agreement. Standard Contractual Clauses (SCCs) included for EU transfers. Custom DPAs negotiable on Enterprise tier.
Right to access / port / delete
Tenant admins can self-serve in the admin portal. End-user requests are routed via the customer (PARIE is the processor; customer is the controller). Standard turnaround: 30 days.
Data residency
Default: US (us-central1). EU and APAC residency available on request for Enterprise tier — provisioned via parallel Firebase project in europe-west or asia-northeast. ~1 week of setup per region.
International transfers
Anthropic processes prompts in the US. PARIE's SCC + supplementary measures (encryption in transit, no retention by Anthropic per their API terms, prompt redaction of PII before transmission) cover Schrems-II / EU-US data transfer requirements.
Children's data
PARIE is a B2B platform; not directed at children <16. We do not knowingly collect data from children.

10. Certifications & roadmap.

StandardStatusTargetNotes
GDPR + CCPA alignmentLivePrivacy policy, DPA, SCC clauses, data subject rights handlers all live
Multi-tenant rule-layer isolationLiveFirestore rules + automated security tests on every release
Encryption at rest + in transitLiveInherited from Google Cloud; AES-256 / TLS 1.2+
Append-only audit logsLiveFirestore rules forbid updates/deletes on audit collections
SOC 2 evidence collectionLive (in-house)Daily evidence packets emitted by the soc2EvidenceCollector Cloud Function — covers CC6.1, CC6.6, CC7.2, A1.2, CC2.2, CC9.1. Available to customers' auditors under NDA.
SOC 2 Type I third-party auditRoadmapCustomer-drivenEngaged when the first customer's procurement gate requires it. PARIE has self-collected evidence ready to hand to an auditor on day 1.
HIPAA BAATemplate readyQ3 2026PARIE BAA template published at /baa. Anthropic + Google Cloud BAAs requested before any PHI is processed; status confirmed in writing per BAA Exhibit B.
ISO 27001Customer-driven2027+Engaged alongside SOC 2 Type II if a customer requires both.
Penetration testCustomer-drivenBefore first regulated dealWill be commissioned when a customer's procurement gate requires a current report; output shared under NDA. In the interim PARIE runs ESLint security rules and Dependabot on every release.

For buyers in regulated industries

If your procurement gate requires SOC 2 Type I, HIPAA BAA, or ISO 27001 on day 1: we engage with your timeline. PARIE will accelerate the relevant track in exchange for a contracted commitment, and where appropriate, partner with a SOC 2-certified channel partner (e.g., Donyati's compliance umbrella) to bridge the gap during certification. Talk to us before assuming the gap is a deal-breaker.

11. Incident response.

Detection
Cloud Logging alerts on auth anomalies, rate-limit spikes, and Cloud Function errors. On-call rotation: founder is primary; structured escalation as the team grows.
Notification window
For confirmed incidents affecting customer data, we notify affected customers within 72 hours of detection — meeting GDPR Article 33's notification window.
Notification channel
Email to the tenant's named security contact (collected at onboarding) + a status page banner at status.parie.io.
Post-incident review
Written post-mortem published within 14 days for any incident affecting >1 tenant, available to affected customers on request under NDA.
Customer-initiated incidents
Email hello@parie.io with subject SECURITY_INCIDENT for first response within 4 business hours; PGP key on request.

12. Vulnerability management.

Dependency scanning
Dependabot alerts on the GitHub repo; npm audit run on each function deploy.
Static analysis
ESLint with security plugins; CI rejects commits with high-severity findings.
Pen test cadence
Third-party penetration test commissioned when a customer's procurement gate requires it. SLA on remediation: 30 days for critical, 90 days for high, 180 days for medium.
Responsible disclosure
Email hello@parie.io with subject SECURITY_VULNERABILITY. We acknowledge within 2 business days, fix within the SLA above, and credit the reporter unless they prefer otherwise.
Bug bounty
Informal at this stage. Formal program engaged when the platform reaches sufficient scale to justify it.

13. How to escalate.

Security incident
hello@parie.io — subject SECURITY_INCIDENT — first response in 4 business hours
Vulnerability disclosure
hello@parie.io — subject SECURITY_VULNERABILITY — acknowledged in 2 business days
Privacy / data subject request
hello@parie.io — subject DATA_SUBJECT_REQUEST — 30-day turnaround
Compliance / due diligence
hello@parie.io — subject COMPLIANCE — for security questionnaires, attestation packets, custom DPA negotiation
NDA-protected materials
SOC 2 evidence packets, pen test executive summary, and architecture diagrams available under mutual NDA.