Security
SustainPro AI is being hardened for evidence-heavy sustainability workflows. This page summarizes the current public pilot controls.
Authentication
Supabase-backed user sessions. Voucher creation and listing require a validated bearer token.
Voucher Storage
DB-backed voucher records with row-level ownership and mutation-blocking database triggers.
Public Verification
Public verify uses a sanitized SECURITY DEFINER function instead of direct anonymous table access.
Uploads
PDF uploads produce SHA256 hashes for evidence tracking. Public verification does not expose raw private file contents.
Calculator
Carbon math uses packaged factor data and emits source/hash provenance. Unsupported or conflicting factors fail closed.
Rate Limits
Public API routes are rate limited and expose security headers.
External board-grade certification, independent penetration testing, and optional external ledger anchoring remain separate launch governance steps.