Security & Trust at Stage

Stage is an AI-native platform for commercial real estate. Because it handles sensitive portfolio and lease information, security is built into the foundation across three layers — perimeter, data, and AI — with every claim published at its honest maturity.

Last updated: 1 June 2026 · Version 1.0

Request full security package See implementation status
How to read this page: ✅ Implemented built & verified 🟡 Scaffolded partial / not default-on 🔲 Roadmap committed, not yet built

Overview

A three-layer trust architecture

Traditional SaaS security stops at the application edge. An AI-native platform has a second trust boundary inside the app — the model's context window — so we treat AI as a first-class security domain, not an afterthought.

1 · Perimeter

Authenticated, authorized, rate-limited, validated.

  • Per-request JWT auth (Clerk)
  • Seven-tier RBAC enforced at the API layer
  • Per-tenant / per-endpoint rate limiting
  • Generic error responses — no stack traces

2 · Data

Isolated, encrypted, governed end-to-end.

  • Fail-closed tenant isolation at the database layer
  • Ingestion validation + pre-context PII scan
  • Immutable provenance chain + lineage
  • Idempotent six-step deletion

3 · AI

Transparent, bounded, provenance-tracked.

  • Model-routing ledger (provider + reason per call)
  • Version-controlled prompts (semver + hash)
  • Prompt-injection sanitization + fencing
  • Loop / timeout / token / cost guardrails

The differentiator

AI System Security START HERE

Stage runs a small team of specialized agents — Sage (synthesis), Scribe (document reading), Scout (research), Strat (modelling), Sentry (governance). Each has a narrow job and only the data access that job requires. Here is how we keep them trustworthy.

You can always see which AI did what

Every agent action is logged with the model used, the provider (Anthropic or Google), the reason it was chosen, the exact prompt version, and a fingerprint. "Which AI processed our data, and when?" always has an answer.

Your data never trains the models

Under Anthropic's and Google's commercial API terms, prompts and outputs are not used to train their models, and Stage opts into no data-sharing program.

They can't act on hidden instructions

Text inside uploaded documents is treated as data, never commands. We strip known manipulation patterns and wrap document text in a labeled boundary the model is told to read but never obey.

Important work is double-checked

A second model verifies the first on document extraction; disagreements are held for a human, not auto-published. Nothing becomes your system-of-record without human approval.

They can't run away

Hard limits on orchestration loops, time, and tokens, plus a per-tenant daily spend cap with a soft alert and a hard cutoff, prevent a stuck or abused agent from running up cost or load.

Every answer is traceable

Outputs carry a confidence tier, source references, and model attribution. A lineage API replays any result back to the document and upload event it came from.

Honest note. Stage does not run a production vector (embedding) store today; retrieval into agent context is database queries already protected by our tenant-isolation guard. The isolation contract and CI test for embeddings are built and ready for when that capability ships 🟡.

Data protection

Isolation, encryption & residency

Each customer's data is walled off at the database level by an automatic guard that fails safe: if the system cannot confirm who is asking, it returns nothing.

Tenant isolation

A global database guard injects a tenant filter into every read and stamps every write — defense across application, database, vector, agent-context, and logging layers. A CI red-team test asserts cross-tenant reads return nothing, and runs before every release.

Encryption

  • In transit: TLS 1.2+ end-to-end
  • At rest: provider-managed volume/DB encryption
  • Tenant-scoped BYOK keys 🟡
  • Embedding encryption (with vector backend) 🔲

Residency 🟡

Tenant data and uploads live on Stage's hosted deployment with an encrypted persistent volume. Dedicated-region and single-tenant-instance deployments for enterprise contracts are on the roadmap.

Sub-processors

Sub-processorData receivedNotes
RailwayAll tenant data (at rest / in process)Hosting · DPA · encrypted
Anthropic (Claude)Agent prompts, transientNo training · DPA
Google (Gemini)Document text/images, transientNo training · DPA
ClerkUser identity, org membership, rolesAuth · SOC 2 (provider) · DPA
ResendRecipient email + message metadataTransactional email · DPA
SentryError metadata (no tenant PII by design)Monitoring · DPA
AssemblyAIMeeting audio (only when transcription used)DPA
A maintained sub-processor list with change-notification is on the roadmap 🔲. Current DPAs are available on request.

Privacy & compliance

GDPR, CCPA & your right to erasure

GDPR & CCPA

Data-subject / consumer rights — access, rectification, erasure, portability — fulfilled via tenant admin tools and a documented runbook. Stage does not sell or share personal information. DPA available on request.

PII detection

Uploaded text is scanned for SSNs, card and account numbers, addresses, and attorney-client privilege markers before any model sees it. You choose the policy: STRICT (quarantine), WARN (allow + log), or PASSTHROUGH (your own DLP).

Deletion & retention

An idempotent six-step cascade removes data from source storage, the retrieval index, caches, and flags affected logs — with a verifiable confirmation. Retention is tiered and tenant- configurable 🟡.

  • Acknowledge request ≤ 72 hours
  • Document deletion ≤ 7 days
  • Full tenant erasure ≤ 30 days

Access & identity

SSO, provisioning & admin controls

SSO & directory

  • SAML 2.0 & OIDC (Clerk Enterprise)
  • MFA (TOTP / SMS / passkeys)
  • SCIM 2.0 provisioning endpoints 🟡
  • JIT provisioning 🟡

Role-based access

A seven-tier role hierarchy (auditor → super-admin) enforced at the API layer, not just the UI. Maps cleanly to Admin / Operator / Viewer for procurement.

Tenant-admin controls

  • Integration enable/disable
  • Per-tenant cost caps
  • PII scan sensitivity 🟡
  • Retention period 🟡
  • MFA enforcement / IP allowlist 🔲

Operations

Logging, vulnerability management & resilience

Logging & audit

Application, auth, agent-run, model-routing, ingestion, deletion, and access events are logged; records are hash- and signature-protected. Tenant admins can query their own audit trail.

SIEM export 🔲

JSON / webhook log export for Splunk, Sentinel, and Datadog is on the roadmap; the audit and agent-run schemas are already export-ready.

Vulnerability management

Dependencies are pinned to CVE-safe floors and audited with pip-audit. Patch targets: Critical 24h · High 7d · Medium 30d · Low 90d 🟡.

Continuity & DR 🟡

SLO monitoring and health probes are live. Formal uptime SLA, RTO/RPO targets, and multi-region failover are on the roadmap 🔲.

Incident response

Severity tiers & breach notification

TierDefinitionResponse target
P0Active breach or confirmed data exfiltrationImmediate
P1Suspected breach, outage, or compliance-triggering event1 hour
P2Security degradation, failed control, or anomaly4 hours
P3Low-severity event, policy violation, informational24 hours
Breach notification. Stage commits to notifying affected tenants without undue delay and within 72 hours of confirming a breach affecting their data, with what happened, what data was affected, what we are doing, and what the tenant should do — plus GDPR supervisory-authority notification within 72 hours where applicable.

Certifications & roadmap

Where we are — honestly

A page of all-green checkmarks fails the moment one claim doesn't survive diligence. We publish exactly what is live, partial, and planned, because trust is built on accuracy.

ItemStatusNotes
Tenant isolation + CI red-team test✅ LiveActivated per deployment
AI model-routing ledger + prompt versioning✅ LivePer-call provenance
Ingestion validation + PII scan + deletion✅ Live107-test security suite
SSO / SAML / OIDC / MFA✅ Livevia Clerk Enterprise
SCIM directory sync · BYOK encryption🟡 ScaffoldedEndpoints exist; IdP-certified sync in progress
Production vector store + embedding encryption🟡 Contract readyIsolation enforced when shipped
SOC 2 Type I → Type II🔲 RoadmapMany criteria already implemented · target dates on request
Third-party penetration test🔲 RoadmapSummary shareable under NDA
SIEM export · IP allowlist · multi-region DR🔲 RoadmapSchemas export-ready today
Material security improvements are published here with a changelog; enterprise tenants are notified directly. Subscribe via security@wxstage.com.

Document library

Request the full package

Enterprise Security Posture

The authoritative 9-section reference: threat model, isolation, AI security, access control, incident response, and a pre-filled 25-question vendor security questionnaire. ✅ Available

Data Processing Agreement (DPA)

Countersigned DPA with sub-processor list and breach-notification commitments. ✅ On request

Data-handling FAQ & data-flow diagram

Procurement-ready Q&A and a structured ingestion architecture diagram. ✅ Available

Right-to-erasure runbook

The operational deletion procedure with SLAs. ✅ Available

SOC 2 report

Available after certification, under NDA. 🔲 Roadmap

Penetration-test summary

Available after first engagement, under NDA. 🔲 Roadmap

Contact

Talk to our security team

For security questionnaires, DPAs, document requests, or to report a vulnerability:

📧 security@wxstage.com
🔐 PGP key & responsible-disclosure policy available on request
📄 Implementation status · Document library

Responsible disclosure. We welcome good-faith security research. Report suspected vulnerabilities to security@wxstage.com; we commit to acknowledge within 72 hours and will not pursue action against researchers acting in good faith.