Security baseline
Security Overview
This baseline describes the security posture Mishava is building for NGO workflows without claiming external certification.
Security overview only. Mishava is not SOC 2 certified, ISO 27001 certified, FedRAMP authorized, or externally penetration-tested in this baseline.
Current protections
Mishava V2 uses a clean Supabase V2 project, Supabase Auth foundation, organization-scoped access, RLS where implemented, role permissions, private evidence storage by default, and audit events for sensitive workflows.
Service-role operations are intended to remain server-side only. Secrets must not be committed to the repo, and local secret files remain git-ignored.
Internal compliance readiness documentation tracks SOC 2, ISO 27001, accessibility, privacy, vendor, and audit-evidence preparation without claiming external certification.
Known limitations
Broad-launch email and password-reset verification still needs retesting where Supabase rate limits affected earlier checks.
MFA enforcement, SSO, malware scanning, formal monitoring/alerting, external security audit, SOC 2, ISO 27001, and FedRAMP are not implemented or certified in this baseline.
Support and incidents
Security concerns, mistaken access, suspected data exposure, or report-sharing issues should be reported through support for review and audit-trail follow-up.
