Primeportal is multi-tenant by design. Every record — workspaces, memberships, projects, brand profiles, assets and audit events — carries a workspace (tenant) identifier, and access is enforced at the database layer with Supabase Row Level Security. Policies check workspace membership before any read or write, so one workspace cannot reach another's data. Cross-workspace access is covered by an automated integration test suite.

Access within a workspace follows role-based access control. Members hold one of four roles — owner, admin, editor or viewer — mapped to a capability matrix that is enforced on the server before any sensitive action runs, such as creating projects, inviting members or managing billing.

• Your brand and project content stays in your workspace. You act as the controller and Primeportal acts as processor.
• Marshi uses your brand and project context to create, review and improve work — and you review output before anything is published.
• Data minimisation for AI jobs: only the context a task needs is sent to the model.

Sign-in is handled by Supabase Auth with email confirmation, refresh-token rotation and PKCE code exchange. Authentication endpoints are rate limited to slow down abuse.

• All traffic is served over HTTPS/TLS.
• Connector tokens are encrypted at rest with AES-256-GCM, and the rows that hold them are reachable only by the service role — never by signed-in users.
• Application secrets are provided through the environment, not committed to source.
• Privileged database functions run with a pinned, empty search path to reduce injection risk.

Uploaded assets live in a private storage bucket with path-based workspace isolation, protected by object-level policies that mirror the database access rules. Files are not publicly listable.

Sensitive workspace and AI operations — such as brand imports, asset changes and connector activity — are recorded as audit events capturing the actor, action, affected resource and workspace, so owners have a record of what happened.

Primeportal runs on managed infrastructure and may use subprocessors for hosting, database, authentication, storage, billing, email and AI processing — including Vercel, Supabase, OpenAI, Stripe and Resend, depending on the enabled feature set. See the Data Processing page for processing details.

If you believe you have found a security issue, please report it to post@primestreak.no. We will acknowledge your report and keep you updated as we investigate. Please give us a reasonable opportunity to address the issue before any public disclosure.

Primeportal does not currently claim formal certifications such as SOC 2 or ISO 27001. A Data Processing Addendum is available for business use on request — see the Data Processing page. We will update this page as our compliance posture evolves.

See the Privacy Policy, Cookie Policy and Terms of Service for the public baseline that applies to Primeportal use.