How we protect your community's data

Every row in every table carries a tenant_id. All read and write paths filter by it before returning data; the platform code never executes a query without an authenticated tenant scope. Service-role access is gated to the functions layer — never exposed to client code.

Every database read and write goes through a Netlify function that verifies the caller's Supabase session token, resolves their member record + tenant, and constrains queries to that scope. Members can only access their own data; admin endpoints additionally check role and tenant ownership.

Pegasus tenants bring their own LLM API key. The platform stores it server-side only — it's never returned to the browser, never written to logs. Tenants who set up BYOK can also rotate or revoke the key from the admin settings panel without contacting support.

Every function that calls an external API is rate-limited per authenticated user. A compromised account cannot abuse the platform or run up provider costs.

All user input is sanitized before being injected into AI prompts. Every system prompt includes an injection-defense header. Member content cannot manipulate the AI advisor's behavior or extract the prompt.

Any participant can flip AI off for a thread. Once flipped off, the thread is permanently locked from AI access — re-enabling would leak the muted member's words to AI. The lock is checked atomically on every AI call path.

Responses include Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers. Clickjacking, MIME sniffing, and data leakage are mitigated at the network layer.

Sensitive operations — badge actions, admin changes, data deletions, API key rotations, AI-toggle flips — are written to an append-only audit log. Clients cannot modify or delete audit entries.

Members can request deletion of all personal data at any time. Journal entries, goals, badges, and profile data are permanently deleted. Chat messages are anonymized so the conversation thread continuity for other members is preserved without identifying the deleting member. The request is logged in the audit trail.

Tenants can choose any supported provider through the LLM abstraction layer. Switching providers is a config change — no code rewrite. HIPAA-eligible providers (AWS Bedrock, Azure OpenAI) can be enabled per-tenant when their compliance posture requires it.

Hortz does not serve ads, sell member data, or share behavioral data with third parties. Member activity stays in the platform database and nowhere else.

What we learn about a person — identity anchors, named patterns, voice traits, durable expertise — belongs to that person, not the community where it was first observed. Each insight carries a share_scope chosen by the member: visible across all their communities, visible only in specific ones, or private to the community of origin. The visibility predicate is enforced on every cross-tenant read; private content cannot leak even when the same person is active in multiple Hortz tenants.

Every user-controlled field that flows into an AI prompt is wrapped in typed delimiter blocks (PERSON_BUILDING, PERSON_IDENTITY, SOURCE_BODY, etc.) and the system prompt explicitly instructs the model that delimited content is data, not instructions. Sanitization strips both standard injection tokens ([INST], <|im_start|>) and our own delimiter sequences from user input, so a member cannot forge new prompt blocks by including delimiter strings in their own profile data.

Daily AI surface budgets and de-duplication checks run inside per-member advisory locks at the database level. Concurrent requests for the same member can't race past the budget cap or queue duplicate triggers. Translation-cache misses serialize per cache key so N parallel callers produce one model call, not N.

Before every deploy that touches the AI prompt layer, surface delivery, or member-data plumbing, a regression smoke probes ten attack categories: prompt-injection delimiter escape, cross-tenant share_scope leak, concurrent cache thrash, dedupe race, endpoint ownership bypass, proposal double-act, foreign-tenant access, GDPR sweep coverage, and limit-bound exploitation. Issues found are fixed and the smoke re-run before ship.