Security & Trust

Your township data, handled right.

Dekree handles records that are public when they should be and private when they must be. Here is how we keep that line clear, in plain English, for the IT director your supervisor will forward this page to.

Org isolation, enforced at the database

Every table in Dekree carries an org_id and a row-level security policy. One township cannot read another township's data, even by accident, even via the API.

  • Postgres row-level security on every table
  • Org scoping enforced at the database, not the application layer
  • SECURITY DEFINER helper functions for auth context
  • No shared buckets; per-org storage boundaries

Encryption, in transit and at rest

TLS for every request. AES-256 for data at rest. Customer documents in private storage with signed URL access for previews.

  • TLS 1.3 for all client and webhook traffic
  • Storage at rest encrypted via AWS KMS
  • Signed URL preview model — no public file paths
  • Custom domain support uses your own TLS certificate

Audit trail, append-only

Every FOIA, every meeting, every document action is recorded with timestamp and user. Audit log entries are append-only — they cannot be edited or deleted.

  • Timeline tables on requests and meetings
  • Access log captures every document read
  • PII-scrubbed logs in error tracking (Sentry)
  • One-click export for auditors and council

PII handling, deliberate

Sensitive content gets redacted server-side and permanently. We scrub PII from error reports automatically. Original documents are admin-restricted.

  • Server-side redaction removes underlying text from PDFs
  • Original preserved in admin-only storage
  • Automatic Sentry beforeSend hook strips PII fields
  • No session replay (would capture screen content)

Roles, scoped per organization

Clerks draft. Supervisors approve. Council views. Each role gets only the surface area it needs. Invites carry one-time tokens.

  • Role-based access control on every action
  • Cryptographic invite tokens, never returned to clients
  • Multi-factor auth via Supabase Auth
  • Session refresh handled at the edge

Webhook and integration security

Inbound webhooks verify their source via shared secrets and signed payloads. No deserialization of untrusted input.

  • Postmark inbound + delivery webhooks signature-verified
  • Stripe webhook signature checked on every event
  • Rate limits on every public-facing endpoint
  • Strict security headers (HSTS, X-Frame-Options, etc.)
Infrastructure

Here is the actual stack.

No mystery vendors. Forward this section to your IT director and they can run their own checks.

Application hosting
Vercel · US edge network
Database
Supabase · PostgreSQL 15 · US-East
File storage
Supabase Storage (S3-backed) · private buckets default
Email delivery
Postmark · transactional + inbound
Error monitoring
Sentry · PII scrubbing on every event
Background jobs
Inngest · signed event keys
Compliance posture

Where we are. Where we are going.

Dekree is a Michigan-only company at the start of our scaling journey. Some certifications take time to earn responsibly. We are direct about what we hold today and what is on the roadmap.

For sensitive deployments, talk to us. We are happy to walk through specific compliance questions on a call.

Michigan retention schedules applied

Active

Records governed by Michigan retention rules per category at upload.

PII redaction and audit logging

Active

Server-side redaction, append-only access logs, Sentry PII scrubbing.

SOC 2 Type II

In progress

Audit prep underway. Available in 2026 for enterprise customers on request.

StateRAMP authorization

Roadmap

Pursued as we scale into state-agency deployments.

Found a security issue?

Email security@dekree.ai. We respond within one business day. We do not pursue legal action against researchers reporting in good faith.

Talk to us about your security questions

Forward this page to your IT director?

Book a 15-minute walkthrough