Current security posture and current limits

Yrka uses Supabase authentication, organization-scoped tenancy, role and permission checks, row level security, private storage, short-lived signed URLs, verified Stripe webhooks, audit events, app notifications, permission-scoped search routes, structured logs, and Sentry monitoring when configured.

Deployment, migration, backup, restore-drill, and incident-response runbooks are documented for launch operations.

Admin assistant, official Manual, and Resources chat features use configured AI providers only when enabled and should send selected workflow context rather than broad database access. Resources chat uses approved prepared records instead of every uploaded draft or file, and query-time search routes return permission-scoped results without creating a durable search index in V1.

AI-generated content, summaries, reports, and suggested admin actions require customer review before use and are not autonomous employment, payroll, legal, safety, or compliance decisions.

Uploaded employee files are stored in a private employee-documents bucket. Admin document links require the documents.view_confidential permission and create a 5-minute signed URL after checking organization ownership.

Employee document and paystub uploads are limited to 15 MiB PDF, image, and Word document families, with empty files, unsupported extensions, unsupported MIME types, and extension/MIME mismatches rejected before storage upload.

Employee object access is limited to the employee's own visible, non-confidential documents through storage access policies.

Yrka does not currently claim SOC 2, ISO 27001, HIPAA compliance, payroll processor status, tax filing compliance, legal or HR compliance advice, a formal uptime SLA, disaster recovery RTO/RPO commitments, or a completed independent penetration test.

Remaining launch trust work includes configuring Sentry and uptime monitoring, completing a restore drill, reviewing storage policies, reviewing service-role usage for new routes, evaluating malware scanning or quarantine for broader upload needs, and having privacy, terms, security, and support language reviewed.