SECURITY & DATA CONFIDENCE

Controlled finance data, in a controlled system.

Firm-scoped data isolation enforced at the database layer. Every edit captured in audit_log with actor, timestamp, before/after. AI is used for drafting; every output is human-reviewed before publish.

Book a Platform Walkthrough
EIGHT CONTROLS

Eight controls that matter for finance work.

Security copy is treated like every other claim: nothing claimed unless it traces to a Register row, and roadmap items are framed in future tense.

Firm-scoped access

Firm-scoped data isolation enforced at the database layer.

Owner access

Owners log in to see what changed, what it means, and what they need to decide. (Client Portal is on the roadmap.)

Tenant isolation

Firm-scoped data isolation enforced at the database layer.

Versioning

Forecasts are versioned and locked. Each version preserves the assumptions from when it was sent.

Audit log

Every edit captured in audit_log with actor, timestamp, before/after.

Source notes and caveats

Reports show source context and caveats where they matter, so the reader knows what to rely on and what still needs judgment.

Controlled distribution

Lenders and board members get magic-link access to specific deliverables. Tokens expire.

Human CFO judgment

AI is used for drafting (Working Brief skeleton, Pack section drafts). Every output is human-reviewed before publish.

DATA RESIDENCY

Where the data lives.

Financial data hosted on Supabase Postgres in Canadian region (ca-central-1).

The hosting language above is specific. Data sits in a Canadian Supabase Postgres region. The platform does not shorten that to generic phrases like "data in Canada" without the technical context.

Region: ca-central-1

Provider
Supabase
Database
Postgres
Region
Canada (ca-central-1)
Isolation
Firm-scoped at DB layer
ACCESS MODEL

Who can see what.

Firm-scoped data isolation enforced at the database layer. The access model below describes the permission structure across FourX team, owner, controller, lender, and board / advisor roles. Some access tiers are live today; stakeholder access is on the roadmap.

Working Brief

FourX teamFull
OwnerRead
ControllerRead
LenderNone
BoardNone

KPI Dashboard

FourX teamFull
OwnerRead
ControllerRead
LenderNone
BoardNone

Action Register

FourX teamFull
OwnerRead
ControllerRead
LenderNone
BoardNone

Decision Log

FourX teamFull
OwnerRead
ControllerRead
LenderNone
BoardRestricted

Forecast Versions

FourX teamFull
OwnerRead
ControllerRead
LenderRestricted
BoardRestricted

Monthly CFO Pack

FourX teamFull
OwnerRead
ControllerRead
LenderRestricted
BoardRestricted

Audit log

FourX teamFull
OwnerNone
ControllerNone
LenderNone
BoardNone

Lenders and board members get magic-link access to specific deliverables. Tokens expire.

AUDIT TRAIL

Every edit captured.

Every edit captured in audit_log with actor, timestamp, before/after.

Working Brief edits, KPI observation changes, forecast revisions, and decision log entries all flow into the same audit feed. Every deliverable moves through draft, ready for review, and final states. Final is immutable.

AUDIT_LOG (SAMPLE)

live tail · 2026-04-30
10:47:23MS

edited Working Brief: April 2026

Health snapshot section

10:42:11JL

added KPI observation

Gross margin: -110 bps note

10:38:54MS

locked Forecast v3 (Bank submission)

State: Locked

10:32:08JL

logged Decision DEC-042

Linked to ACT-019, Forecast v4

10:28:41MS

promoted Pack: April 2026

Draft → Ready for review

Each row preserves actor, timestamp, and before/after. Sample render.
AI IN THE LOOP

AI assists drafting. Humans approve.

AI is used for drafting (Working Brief skeleton, Pack section drafts). Every output is human-reviewed before publish.

AI helps prepare first-pass narrative. It does not make autonomous financial decisions, approve deliverables, or replace the FourX team's judgment.

What AI does, what it does not

Drafts the Working Brief skeleton from prior period structure.

Drafts Pack section copy from KPIs and observations.

×

Makes autonomous financial decisions.

×

Approves or publishes deliverables.

×

Replaces FourX team review.

COMPLIANCE POSTURE

Where we are, where we are headed.

Today

  • Firm-scoped data isolation enforced at the database layer.

  • Financial data hosted on Supabase Postgres in Canadian region (ca-central-1).

  • Every edit captured in audit_log with actor, timestamp, before/after.

  • AI is used for drafting (Working Brief skeleton, Pack section drafts). Every output is human-reviewed before publish.

Roadmap

  • SOC 2 Type II is on the roadmap (target: 2027).

  • Lenders and board members get magic-link access to specific deliverables. Tokens expire.

  • Owners log in to see what changed, what it means, and what they need to decide. (Client Portal is on the roadmap.)

FAQ

Common questions.

Where is financial data hosted?

Financial data hosted on Supabase Postgres in Canadian region (ca-central-1).

Who has access?

Firm-scoped data isolation enforced at the database layer. Lenders and board members get magic-link access to specific deliverables, with expiring tokens.

What gets logged?

Every edit captured in audit_log with actor, timestamp, before/after.

Is the platform SOC 2 certified?

SOC 2 Type II is on the roadmap (target: 2027).

Does AI make recommendations or approve reports?

AI is used for drafting (Working Brief skeleton, Pack section drafts). Every output is human-reviewed before publish.

Can stakeholders access reports without a full account?

Lenders and board members get magic-link access to specific deliverables. Tokens expire.

Discuss your security and governance requirements.

If your controller, lender, board, or IT advisor has questions, bring them into the walkthrough.

Book a security conversation