Trust

Security

How we protect your data

Private alpha note. The controls below describe Continuum's production posture. The tenant-isolation, authentication, and transcript-handling layers are operating today against the same code that will run in production; the deploy-platform controls (cloud infrastructure, audit-log retention, region selection) become live the moment Continuum is deployed for a customer. Pre-deploy, no live customer data exists.

Isolation

Every workspace is fully isolated at the database level. Queries are scoped by workspace ID enforced in the API layer. No workspace can access another's data.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest. Transcript files uploaded for processing are stored encrypted in object storage and deleted after extraction completes.

Authentication

Authentication is handled via Zitadel, a self-hosted open-source identity provider (Apache 2.0). We support Google OAuth and email/password. Sessions use short-lived JWTs. MFA is available.

Transcript handling

Raw transcript text is processed in-region and not retained beyond the extraction pipeline. The persistent record is the structured commitment data — not the source text. You control deletion of your workspace's commitment data at any time.

Infrastructure

Hosted on Google Cloud Platform. Stateless services run on Cloud Run (auto-scaling, ephemeral). Stateful services (database, auth) run on isolated GCE instances with private networking. No public database endpoints.

Audit log

All significant actions — ingestion, extraction, commitment changes, membership changes — are written to a structured audit log. Logs are immutable and retained for 12 months.

Vulnerability disclosure

If you discover a security vulnerability, please report it to hello@continuumstate.io. We respond within 48 hours and will not pursue legal action against good-faith researchers.