PARIE is built on Google Firebase with server-enforced tenant isolation, AES-256 encryption, and a documented incident response process. We'd rather tell you what we haven't done yet than hide it โ scroll all the way down for the honest gap list.
Firebase Auth handles all authentication โ passwords never touch PARIE servers. 6 roles (user, manager, HR admin, company admin, client admin, super admin) enforced server-side via Firestore security rules.
Each tenant lives under clients/{tenantId}. Every read/write path has an isMemberOf(tenantId) rule. Cross-tenant data access is impossible through supported paths. Verified by static review + automated tests.
TLS 1.2+ everywhere. AES-256-GCM at the application layer for uploaded documents. AES-256 at-rest via Google Cloud KMS. Keys rotated annually or on compromise.
All LLM calls pass through a server-side proxy (claudeProxy) that enforces authentication, tenant resolution, tier gating, monthly caps, and rate limits. The Anthropic API key never touches the browser.
Daily Firestore export to a separate Google Cloud Storage bucket; 90-day retention; weekly verified restore; annual DR exercise. RPO 24 h, RTO 4 h.
Documented runbook with severity matrix. Customer notification within 72 hours of confirmed incident (more aggressive for Sev 1). Post-incident RCA shared with affected customers within 10 business days.
| Framework | Status | Notes |
|---|---|---|
| GDPR | Compliant | DPA available; SCCs incorporated; EU-region hosting available on request. |
| CCPA / CPRA | Compliant | Privacy policy covers California consumer rights; deletion on request within 30 days. |
| SOC 2 Type I | In readiness | Target audit Q4 2026. Weekly status available to Enterprise prospects on request. |
| SOC 2 Type II | Planned | Q2 2027 (6-month observation window after Type I). |
| HIPAA | BAA-ready | Separate BAA executable after scoped HIPAA controls complete (see Trust docs). |
| ISO 27001 | Inherited | Google Cloud infrastructure layer. No PARIE-level certification planned. |
| PCI DSS | N/A | PARIE does not store or process cardholder data. Stripe handles all payments. |
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| Google Cloud / Firebase | Hosting, database, auth, serverless compute | All customer data (encrypted) | US (default) ยท EU / UK / APAC on request |
| Anthropic PBC | LLM inference (Claude API) | Prompts + context per call (no retention) | US |
| Stripe | Payment processing | Billing metadata only; no card data | US |
| Postmark | Transactional email | Email addresses + content | US |
| Namecheap | Domain and DNS | Public DNS only | US |
Full list and change history: parie.io/subprocessors. New subprocessors announced 30 days in advance.
We list the gaps so you can decide if they're blockers for you. If any of these is a dealbreaker, talk to us early and we'll scope remediation in the Order Form.
Targeted Q2 2027. Type I readiness is in progress now. We'll share audit observation access on customer request.
Scheduled Q3 2026, annual thereafter. Report available under NDA.
Founder-led response today; named rotation launches with the first SLA-bound Enterprise customer.
Security responsibilities are founder-held. Formal role when we cross 5 engineers or a customer requires it.
BYOK / CMK support planned Q1 2027 for Enterprise+.
Lightweight today. Full ISO-style policy set is being built alongside SOC 2 engagement.
We answer enterprise security questionnaires (SIG Lite, CAIQ v4, HECVAT) from scratch within 3 business days. Legal, privacy, and DPA questions within 2 business days.
hello@parie.io