SECURITY

Security and trust.

How Catylst protects your data, validates AI outputs, and maintains compliance across every surface of the platform.

The posture

Controls, documented.

Five anchor controls that carry Catylst's security story. Each is in production today or mapped to a dated milestone.

01 · Tamper-evident audit

Hash-chained audit log.

Every privileged write is stamped into an immutable, hash-chained append-only log. Tampering breaks the chain and triggers a Sev-1 alert.

Tamper-evident audit log — document with data lines representing append-only records
02 · Database isolation

Row-level security.

Postgres RLS policies enforce tenant isolation at the database layer. Cross-tenant data leaks are architecturally prevented, not just code-gated.

Row-level security — balance scale representing tenant isolation at the database layer
03 · Faith data protection

GDPR Article 9 faith data protection.

Faith data is encrypted at rest with per-tenant DEKs. Reads are logged. Deletion on consent withdrawal is immediate cryptographic shredding — not a 30-day soft delete.

Faith data protection — three nodes representing per-tenant encryption keys
04 · Compliance posture

SOC 2 readiness.

Control design is mapped to SOC 2 Trust Services Criteria from day one. External audit is scheduled for Year 1.

SOC 2 readiness — ascending bars representing control maturity over time
05 · AI validation

5-layer AI output validation.

Every AI-generated recommendation passes through a 5-layer validation pipeline: structural sentinels, cite-bound conjunction, symmetric leak check, CI lint gateway, and output wrapper lint — before any output leaves the AI service.

Five-layer AI validation — magnifying glass over layered review stages
Faith data handling

How faith fields are protected.

INFRASTRUCTURE

Production-grade infrastructure at every layer.

Built on managed, auditable services with observability from the database to the browser.

  • Supabase Postgres

    Row-level security enforced at the database layer. Per-tenant encryption keys.

  • Upstash Redis

    Per-tenant cache and idempotency. Rate limiting at the edge.

  • Vercel Edge

    Global cache, WAF, rate limit. TLS 1.3 everywhere.

  • Sentry + OpenTelemetry

    Full-stack observability with span-level tracing.

VERIFICATION

Seven independent verification badges.

Every badge has a published criterion and an open review path. No pay-to-play. No self-attestation.

  • Verified

    Legal entity name, jurisdiction of registration, and authorized representative confirmed against public records.

    Review criteria
  • Nonprofit Status

    501(c)(3) status confirmed via IRS EIN lookup with automatic revalidation against current IRS records.

    Review criteria
  • Diligence Ready

    Profile threshold completed, governance documents uploaded, and initial completeness scoring passed.

    Review criteria
  • Enhanced Reporting

    Structured impact reports submitted with ongoing reporting cadence agreed at 6-month and 12-month intervals.

    Review criteria
  • Financial Disclosure

    Form 990, audited financials, or equivalent documentation uploaded and reviewed against platform standards.

    Review criteria
  • Network Endorsed

    Endorsed by a recognized network, denomination, or umbrella body. Endorsement source is publicly attributable.

    Review criteria
  • Answer Verified

    Every AI-drafted answer is grounded in source documents and cites the specific passage it was derived from.

    Review criteria
Certifications roadmap

What we're doing next.

A concrete schedule from launch through Year 2. Dates are commitments; changes are published on the Transparency Report.

  1. Launch · Month 0

    Controls live on day one.

    Hash-chained audit log live. RLS policies in production. GDPR Article 9 controls active. Informal pastoral review operating with 2-3 advisors.

  2. Month 6

    External penetration test.

    External penetration test conducted by a reputable firm, with a documented remediation cycle. Findings and closure notes published on the Transparency Report.

  3. Month 13–14

    SOC 2 Type I audit.

    SOC 2 Type I audit by an accredited CPA firm. Report published, with the scope and control catalog shared on request under NDA.

  4. Year 2

    SOC 2 Type II audit.

    SOC 2 Type II audit covering a 12-month observation window. Report published annually thereafter on the Transparency Report cadence.

Faith review

About our faith-review posture.

Questions about security?

Talk to our team or read the full Transparency Report.

Contact usRead report