Aevrum

Trust & Security

How Aevrum protects your data

Aevrum is an operational intelligence platform run by Black Line Ops. Your uploaded business data feeds dashboards, AI assistants, and recommendations — and the way we handle that data is treated as a first-class engineering concern. This page is the short, public summary of how we do that. For customer-specific commitments, see our Privacy Policy and DPA.

Encryption everywhere

TLS 1.2+ in transit. At rest, every byte sits on encrypted Supabase Postgres (AES-256). Sensitive identity fields are additionally encrypted with per-organization keys at the application layer (Phase 15).

Row-level security on every table

Every Postgres table enforces RLS at the database level. A query from one organization physically cannot reach another organization's data — even via a tampered client or a misconfigured server action. Verified by 285+ automated tests.

US-only infrastructure

Supabase Postgres + storage hosted in us-east-1 (AWS). Vercel edge serves the app from US regions. No data leaves the United States in normal operation.

Strict role model

Owner / Admin / Analyst / Viewer roles inside each organization. A separate Platform Admin role (granted via direct SQL, not a UI) is required for any cross-org operation. Every privileged action is audit-logged.

Prompt-injection defenses for AI

Kirk and the custom-widget generator (Claude API) receive your data inside untrusted-data delimiters. User-typed values are sanitized before interpolation — payloads like ‘ignore previous instructions’ are neutralized before the model sees them. The system prompt explicitly instructs Claude to treat delimited content as data only.

Full audit trail

Every login, upload, role change, AI call, share-link creation, scheduled report run, and recommendation update is recorded in audit_logs with actor, IP, and timestamp. Admins can review the full log under /app/audit; platform admins can review across orgs.

AI usage & provider choice

Aevrum’s AI features (Kirk, custom widget generation, recommendation summaries) route through Anthropic’s Claude API. Anthropic does not train on customer API traffic. When AI is disabled (the deterministic mock mode), no data leaves Aevrum’s servers.

  • • Per-user + per-organization daily rate limits prevent runaway cost or abuse
  • • Every AI call is logged with provider, prompt size, status, and (where applicable) the tool invoked
  • • PII redaction passes strip obvious identifiers from prompts before send
  • • Mock mode runs identically to real AI for development and offline demos

Compliance & certifications

SOC 2 Type I

In progress

Readiness assessment underway. Estimated completion Q3 2026.

GDPR / UK GDPR

Ready

DSR endpoints + DPA template available. EU-based customers can request EU residency on request.

HIPAA / PHI

Not supported

Aevrum is not currently a Covered Entity or BAA-eligible. Do not upload PHI.

Subprocessors

These third parties process customer data on Aevrum’s behalf. We notify customers in advance of any addition or change.

  • SupabasePostgres database, authentication, file storageus-east-1 (AWS)
  • VercelApplication hosting, edge network, build pipelineUnited States
  • AnthropicClaude API for Kirk + custom widget generationUnited States
  • ResendTransactional email (invites, alerts, weekly digest)United States

Report a security issue

We take security reports seriously. Please email security@blacklineops.ai with details of any suspected vulnerability. We’ll acknowledge within 48 hours and work with you in good faith — no legal action against researchers who follow this disclosure path.

Last updated 2026-05-23 · Aevrum is an active-development product; this page evolves alongside the controls it describes.