Security controls for workplace activity data, documents, and enterprise procurement.
Culturely handles company activity plans, employee participation, vendor responses, finance documents, HRD evidence, and admin records. This page explains the controls currently represented in the platform without claiming certifications that have not been completed.
Tenant-separated workspace data
Corporate, vendor, employee, finance, and admin records are separated by workspace ownership and role checks. Supabase RLS policies are used where production tables hold private records.
Role-based workspace access
Corporate owners/admins, finance approvers, managers, viewers, vendor owners, vendor finance, vendor sales, and platform admins are routed to different capabilities.
Private document storage
Finance, HRD, receipt, quotation, e-invoice, payment proof, and event documents are stored through private document flows with metadata and audit records.
Audit trails
Workspace actions such as role changes, exports, approvals, uploads, document reviews, SCIM token rotation, and enterprise setting changes create audit records.
SSO / SAML readiness
Enterprise workspaces can record SAML or OIDC configuration, domains, metadata, certificate fingerprints, and enforcement readiness before SSO is turned on.
SCIM provisioning readiness
Enterprise workspaces can issue hashed SCIM bearer tokens and use a token-protected Users endpoint for employee directory visibility.
What enterprise buyers can configure
In Corporate Workspace, owners and corporate admins can configure allowed email domains, SSO enforcement readiness, MFA policy expectation, audit/event/employee/document retention periods, export reason and approval policy, export roles, DPA status, privacy contact, security owner, and SCIM token readiness.
Certification status
Culturely does not currently claim SOC 2, ISO 27001, GDPR certification, or penetration-test certification unless those documents are later completed and attached by the platform admin.