Security at ResolvCmd

We are transparent about our current security posture, what we are working on, and what is on the roadmap. No overclaiming.

Current controls

Tenant isolation

Every customer's data is walled off by design. Row-level security in PostgreSQL. Tenant-filtered Qdrant queries. No cross-tenant data access is possible.

Encrypted credentials at rest

Fernet encryption on all stored integration tokens (Zendesk OAuth, ConnectWise API keys, Confluence tokens). Keys managed via standard infrastructure secret management.

Full disk encryption

LUKS on all infrastructure volumes. Host-level encryption at rest.

OAuth and least-privilege scopes

Where the upstream platform supports it (Zendesk, Google Drive, future Microsoft Graph), we use OAuth with scoped permissions. We request only the access we need to deliver resolutions.

Role-based access control

Admin, Technician, and Read-only roles enforced at the API layer. Granular permissions for Studio actions, billing, and configuration.

Audit logging

Immutable log of administrative actions, authentication events, and data lifecycle events. One-year retention. Available for export.

Source citation transparency

Every resolution shows exactly which documents and chunks were used to generate it. No opaque generation. Confidence levels (HIGH, MEDIUM, LOW) are exposed on every response.

Data lifecycle

30-day soft delete on customer-initiated removal, then a hard delete cascade across PostgreSQL, Qdrant, and the staging filesystem. We can also delete on demand.

In progress

CASA Tier 2 assessment

We are currently undergoing a CASA Tier 2 (Cloud Application Security Assessment) review. CASA Tier 2 is required for the Google Workspace Marketplace and provides independent third-party validation of our security review for the Google Drive integration. It covers authentication flow review, OAuth scope justification, encryption practices, vulnerability management, incident response process, and privacy practices.

On the roadmap

SOC2 Type II

We are committed to SOC2 Type II as our customer base grows. The audit timeline is gated on revenue milestones rather than calendar dates so that we can do it properly when the cash flow justifies the investment. We do not publish a target date because dates we miss damage trust. If a SOC2 Type II report is a requirement for your procurement process, we are happy to walk you through our current posture and the audit timeline we are working against.

Vendor security questionnaires

We respond to standard vendor security questionnaires (SIG, CAIQ, custom forms). We maintain a reusable questionnaire response document and answer most questionnaires within five business days.

What we will not do

We will not publicly claim compliance attestation we do not yet have. If you see any vendor doing this, leave the page.

We will not train models on your data. Your knowledge is yours and only yours.

We will not share customer data across tenants for any reason, including model improvement.

Reporting a security issue

If you have found a security issue, please email security@resolvcmd.com. We will acknowledge within one business day. We do not currently run a public bug bounty program, but we appreciate responsible disclosure and will recognize researchers who report valid issues.