Information Security at Milo

Role model: System Admin, Organization Admin, Operations Manager, Team Lead, Employee, Viewer, Compliance Auditor.

Permission checks are key-based (e.g. approvals.assign, legal.dpa.accept, legal.documents.manage) via the has_permission function, with per-user override support.

Global Admin is derived solely from membership in the app_admins table — never from an organizational role.

RLS is enabled on every table containing customer data. Policies use SECURITY DEFINER functions (has_permission, user_belongs_to_org) to avoid recursion and expose only permitted rows.

The extension transmits a Bearer token whose SHA-256 hash is the only value stored server-side. API calls verify the hash, resolve the device and its user, and return only items within the device's authorized scope (get_device_authorized_items).

Both client- and server-side (the validate_flow_steps_trigger trigger and validateSteps in Edge functions) reject value, inputValue, password, ssn, idNumber, creditCard, screenshot, html, token, cookie, authorization and similar fields.

Every sensitive action — assignment, approval, rejection, blocking, legal acceptance, legal document publication — is recorded in audit_logs with user, organization, entity, event type and metadata.

All traffic to the platform and extension is served over HTTPS.

The database service_role key is never exposed to the browser and never logged. Its use is restricted to trusted server functions only.

In case of a material security incident, the notice will include a general description of the incident, categories of affected information, steps taken and recommended next steps, per section 7 of the Data Processing and Security Addendum.