[SEC] — Posture
Trust is the product.
Intelligence platforms hold what must not leak. Newrali is engineered from the first migration for isolation, least privilege, and accountability — not retrofitted for them.
[01] — Principles
Five commitments, enforced in code.
Isolation by architecture
Workspaces are hard tenant boundaries enforced at the database layer with row-level security. Module and team scopes narrow access further — every query is scoped, and cross-tenant leakage is treated as the primary failure mode to design against.
Least privilege, centrally decided
Every request is evaluated by a central policy engine (Cedar). Permissions are explicit, fine-grained, and auditable. Anything the interface shows you is a hint — the backend independently enforces the decision.
Accountability built in
Mutations to intelligence products are audited, and authorization decisions leave a trail. Finished work traces back through its revisions to the sources it rests on.
Proven primitives only
Modern authentication with passkeys and two-factor support. Cryptographically random share tokens — never guessable identifiers. Encryption in transit and at rest.
Your data, on your terms
Export what's yours, when you choose — polished PDFs today, and a path to running the entire platform on your own infrastructure.
[02] — Disclosure
What's live. What's ahead.
Security claims should be checkable. Here is where the platform stands today — and what we're building next, stated plainly.
Shipped — in the platform today
- ✓ Workspace isolation with row-level security
- ✓ Central policy-based authorization on every request
- ✓ Audited mutations on intelligence products
- ✓ Passkeys & two-factor authentication
- ✓ Encrypted transport and storage
- ✓ Cryptographically random share links with revocation
- ✓ Structured review before anything enters the record
◌ In development — the enterprise road
- → Self-hosted enterprise distribution
- → Offline, signed licensing — no phone-home required
- → Air-gapped deployment for isolated networks
- → Tamper-evident builds and supply-chain hardening
- → Hash-chained, exportable audit history
◆ Commitment to transparency
Verify us — don't take our word for it.
Security claims you can't check are just marketing. Our latest independent penetration-test report is available on request — read what the testers found, not what we chose to say.
Found something? We take reports seriously and respond fast — reach the team privately through the community or from inside your account.
Bring work that matters.
Run it on an architecture that takes it as seriously as you do.