BUILD+SHIP·Compass
Book a call
SECURITY

Security at Compass.

Compass holds engineering team data. We treat it the same way we'd want our own data treated.

Last updated · May 2026

Authentication

Sign-in is handled by Supabase Auth. Passwords are never stored in plain text — Supabase uses scrypt-based hashing with a per-user salt. Sessions are cookie-backed with secure, HTTP-only flags and rotate on sign-in.

Engineering team members complete the assessment via a single-use token link emailed by the workspace admin. Members do not have account credentials of their own.

Row-level isolation

Every customer-data table in Compass has Postgres Row-Level Security enabled. A query made on behalf of one workspace admin physically cannot return rows belonging to another workspace — the policy is enforced inside the database, not just at the application layer.

Member-side writes (the assessment flow) use token-validating security-definer RPCs that scope every insert to the member the token belongs to. The service-role key is not held by the application.

Encryption

All traffic to and from compass.buildandship.com is served over TLS 1.3. Database storage is encrypted at rest by Supabase using AES-256. Backups are encrypted with the same key management.

AI provider

The AI advisor and team report synthesis use OpenAI's API. OpenAI's API data policy states that customer prompts and completions are not used to train their models, and are retained only briefly for abuse monitoring.

We send the smallest context necessary: per-question, only the workspace name, member manuals, and any sections you pinned with / mentions.

Internal access controls

Only Mark Darling (CEO of MarkD Limited) has production access to customer data, and only for the purpose of debugging issues you report. All access is audit-logged by Supabase. No third party has standing access.

Backups and disaster recovery

Supabase performs daily Point-In-Time Recovery snapshots of the production database. Backups are retained for 7 days and are encrypted with the same keys as the live database.

Reporting a vulnerability

If you think you've found a security issue in Compass, please email mark@buildandship.com with details. We aim to acknowledge within one business day and to fix or mitigate high-severity issues within seven. We don't have a paid bounty programme yet, but we'll publicly credit legitimate disclosures (with your permission).

Incident notification

If Compass experiences a security incident affecting your data, we'll notify the affected workspace admin by email within 72 hours of confirming the incident, with what we know, what we're doing, and what we recommend you do.