Transparency · Open Trust Protocol
Our security & privacy posture, in the open.
Adaptensor City publishes a full security & privacy audit before onboarding our first paying municipal customer — and re-publishes it quarterly. We don’t hide behind a paid certification. We show our actual posture, including the parts still in progress.
V1 · 2026.1· last updated May 13, 2026 · auditor: Claude AI (Opus 4.7), supervised by Adaptensor, Inc.
Two controls scored N/A (no inventory module; reserved module-specific control). Detailed mapping below.
Why we publish this
We’re building a platform that small municipalities will run their public-facing operations on — reporting potholes, paying water bills, signing up for council updates. Trust is the product. The right way to earn it is to show our work.
This report follows the same framework AdaptBooks and our other modules publish under: 24 controls across six criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy, and module-specific controls). Every finding — critical to cosmetic — is documented with the file path and the fix.
What we closed before V1
The first internal audit pass surfaced 24 findings, including three critical and five high-severity gaps. Sessions 16 through 19 closed all of them:
Control scorecard
Each control is rated PASS, PARTIAL, FAIL, or N/A. PARTIAL means the control is substantially implemented with a documented gap. See the full report for evidence and file references on every line.
| Criterion | Status | Notes |
|---|---|---|
| 1.1 Authentication & Identity | PASS | Clerk SSO across Adaptensor ecosystem |
| 1.2 Authorization & Access Control | PASS | userOwnsTown + role allow-list |
| 1.3 Network Security | PASS | Full headers; CSP in report-only |
| 1.4 Vulnerability Management | PASS | Dependabot + Socket supply-chain depth scanning |
| 1.5 Input Validation | PASS | Zod on every write route |
| 1.6 Encryption | PASS | TLS 1.3 + Neon AES-256 + field-encryption module |
| 1.7 Logging & Monitoring | PASS | pino + PII redaction + immutable audit log |
| 1.8 Change Management | PASS | Git + Drizzle migrations + Vercel auto-deploy |
| 2.1 Infrastructure Resilience | PASS | Vercel + Neon serverless, all SOC 2 |
| 2.2 Backup & Recovery | PASS | Neon PITR + nightly off-platform GCS dumps |
| 2.3 Offline Capability | PASS | Installable PWA per tenant |
| 3.1 Financial Accuracy | PASS | Integer cents end-to-end; Zod amount caps |
| 3.2 Inventory Accuracy | N/A | No inventory module |
| 3.3 Data Validation | PASS | Same Zod coverage as 1.5 |
| 4.1 Data Classification | PASS | Sensitive data identified and protected |
| 4.2 Data Minimization | PASS | Public APIs return only resident-facing fields |
| 4.3 Data Disposal | PASS | Daily retention cron + right-to-erase |
| 5.1 Privacy Notice & Consent | PASS | Privacy + terms + cookie banner |
| 5.2 Data Subject Rights | PASS | Self-serve delete; Clerk user.deleted handled |
| 5.3 Third-Party Processors | PASS | Documented in privacy policy |
| 6.1 Tenant Verification | PASS | Manual approval gate |
| 6.2 Resident Privacy | PASS | Rate-limited; minimized responses |
| 6.3 Stripe Connect Isolation | PASS | Per-town accounts; $0 platform fee |
| 6.4 Multi-Tenant Isolation | PASS | townId enforced on every query |
What’s still open
Since V1 publication on May 13, 2026, every finding originally listed in this section has been closed, including both of the PARTIAL ratings that V1 carried — 1.4 Vulnerability Management (Socket supply-chain depth scanning installed on top of Dependabot, closed May 15) and 2.2 Backup & Recovery (nightly off-platform GCS dumps via GitHub Actions on top of Neon PITR, closed May 15). The full score is now 22 / 24 PASS with zero PARTIAL and zero FAIL.
Three informational notes also remain documented in the full report: the field-encryption module currently has no live write sites (infrastructure shipped ahead of need), Stripe Connect ships with a deliberate $0 platform fee, and the per-tenant subdomain cert model has a soft scaling ceiling on Vercel Pro. These are recorded for transparency, not action.
Closed since V1 publication
- May 13: Upstash rate-limit provisioned via Vercel Marketplace; production traffic verified enforcing (zero fail-open warnings in 7 days of cold starts).
- May 13: GitHub Dependabot security alerts and weekly grouped version-bump PRs enabled — first run surfaced 2 moderate transitive advisories.
- May 13: Role allow-list wired to every protected admin route; Team UI shipped at /admin/settings for assigning owner / editor / viewer / water_operator / issue_handler.
- May 13: Content-Security-Policy flipped from report-only to enforcing; worker-src and Sentry connect-src extensions verified clean against Clerk + Stripe + tenant PWA flows.
- May 15: Audit-log retention automated — daily 08:00 UTC cron trims rows older than 365 days inside a single Postgres transaction (DISABLE → DELETE → ENABLE), so the immutability trigger is never left disabled across a transaction boundary.
- May 15: Self-serve one-click data export at /admin/settings (owner-only). Single JSON file fans 35 per-town tables in parallel; bearer-token tables excluded by design.
- May 15: Supply-chain depth scanning via Socket Security installed on the repo. Baseline scan returned 0 critical / 0 high / 5 low-priority hygiene-class transitive deprecations. Closes 1.4 Vulnerability Management.
- May 15: Off-platform nightly database dumps via GitHub Actions → GCS (project-scoped IAM, 30-day lifecycle, dedicated read-only Neon role). First dump verified at 135.3 KiB. Closes 2.2 Backup & Recovery.
Who else touches your data
We share the minimum data needed with the sub-processors below. Every one of them is SOC 2 Type II certified. We do not run advertising, analytics, or behavioral tracking on the platform.
| Processor | Purpose | Data |
|---|---|---|
| Clerk | Authentication | Email, name, session tokens |
| Stripe | Subscription billing + per-town water payment Connect | Payment metadata; cards are Stripe-hosted (we never see them) |
| Neon | Managed PostgreSQL | All persisted application data, encrypted at rest |
| Vercel | Application hosting + cron | Request/response data; per-tenant TLS |
| Resend | Transactional + announcement email | Recipient address, message content |
| Upstash | Distributed rate limiting | Hashed rate-limit keys (IP-derived); no PII |
What we’re doing well
- Append-only audit log. Database-level triggers block UPDATE and DELETE against every role, including the table owner. Tamper-evident by construction.
- Email-loop town deletion. The owner must type the town name and click a one-time token sent to their on-file address. Defeats accidental clicks and forwarded-email attacks.
- PII redaction in logs. Email, phone, token, and reporter fields are replaced with
[REDACTED]before any log line leaves the server. - RFC 8058 one-click unsubscribe on every transactional welcome and broadcast email. Tokens are minted at signup, never reused, never lazy.
- Per-tenant Stripe Connect.Town water payments flow directly to the town’s Connect account. The platform never custodies the funds and charges $0 application fee.
- No behavioral tracking. Zero analytics, advertising, or cross-site tracking on either the marketing site or any resident-facing tenant site, by default.
Accessibility
Adaptensor City targets Web Content Accessibility Guidelines (WCAG) 2.1 Level AA, the legal bar set by the U.S. Department of Justice's 2024 final rule under Title II of the Americans with Disabilities Act. Small municipalities have until April 26, 2027 to meet this standard. We're published and verifiable today, well ahead.
Phases 1–3 + 5 complete as of May 13, 2026: zero critical or serious axe-core violations on every public route, contrast tokens audited and fixed at the token level, keyboard reorder added to the builder, skip link wired into every page. Phase 4 (manual screen-reader pass) is partial: marketing flow verified via Windows Narrator (skip link, heading order, landmarks, link labels); admin builder and resident submit flows verified by code review only and deferred to an external auditor or a future internal pass with a trained operator. The Playwright spec at tests/a11y.spec.ts is committed; we run npm run a11y before each deploy.
Email support@adaptensor.com to report a barrier. We respond within 5 business days and prioritize fixes ahead of other non-critical work. Full conformance statement, scope, and known limitations: ACCESSIBILITY.md.
Audit history
| Version | Date | Score |
|---|---|---|
| V1 (Initial) | May 13, 2026 | 20 / 24 PASS · 0 FAIL |
| V2 (Quarterly, target) | August 2026 | TBD |
| V3 (Quarterly, target) | November 2026 | TBD |
When something goes wrong, our response is documented and public: Incident response runbook.
Full report
Read the full V1 report with every fix verification, evidence pointer, and remediation plan: CITY_OTP_AUDIT_V1.md.
Found something we missed? Email support@adaptensor.com. We treat every report as in-scope for the bug-bounty intent of this program; we will credit you in the next quarterly audit unless you ask us not to.
See also the Privacy Policy and Terms of Service.