SourceDeck is in active development. This page is the single source of truth for what's shipped, what's partial, and what's planned. We don't claim certifications we don't hold.
First-time users see an empty workspace. No personal information, no seeded contacts, no demo records auto-load. Demo data loads only after an explicit user action.
Your sources, queries, pitches, and notes stay in your workspace. The static client never carries one operator's personal data into another tenant's bundle.
Logged-out users see no saved data. Logged-in users see only data scoped to their authenticated identity. If ownership cannot be verified, the workspace fails closed and shows blank.
Storage keys are scoped per (tenant, user). The codebase does not reuse a single global key that could cause one user's data to surface in another user's session.
Service worker caches the public marketing shell only. Authenticated paths (/api/, /app/, /auth/callback/, /settings/, /checkout/) are explicitly never cached.
watsonx.ai integration is under configuration review. Code-side adapters and tests are in place; live runtime association is not yet verified. We will represent watsonx as production-ready only after runtime association and live smoke testing succeed.
OIDC middleware foundation is built. A live SSO/IAM identity provider is not yet wired. Roles (owner / admin / analyst / viewer) are enforced server-side at the route layer.
Every state-changing AI call emits a structured event with model id, prompt version, and token usage. Document content and raw prompts are never persisted. Export to a SIEM is documented; live forwarding is not yet wired.
SourceDeck is not SOC 2, HIPAA, FedRAMP, ISO 27001, CMMC, or HITRUST certified. We are happy to participate in customer security reviews and to track concrete commitments toward formal certification when a paying enterprise contract requires it.
We do not currently claim "end-to-end encrypted" or "zero data retention" because those terms have specific technical meanings we have not implemented. Data in transit uses TLS via the hosting provider. Data at rest is stored by the configured backend (default: local browser storage; optional cloud backends available where configured).
Email contact sales with the email address tied to your workspace. We will respond within one business day.
If you find a security issue, email contact sales with subject "security disclosure." We respond within one business day for acknowledgement and within five business days for triage. Please don't open public GitHub issues for security reports.
We add to this list when something becomes a real customer commitment, not before.