Security practices that hold up to a state procurement review.
We built 1water.ai knowing it would be handling utility compliance data — including SDWIS violations and published CCRs — from day one. Security is a build target, not a compliance checkbox.
The security foundations.
Encryption in transit and at rest
All traffic to 1water.ai is HSTS + TLS 1.2+. Database, backup, and object storage are AES-256 encrypted at rest by the hosting providers.
Tenant isolation by row-level security
Every tenant's data is scoped by PWSID. Supabase RLS policies enforce tenant boundaries at the database layer, not just the app layer.
Least-privilege access
Employees access production data only under explicit, logged, on-call rotations. Service credentials are scoped to the minimum required capabilities and rotated on a schedule.
Audit log on every compliance action
Every compliance-relevant action (tool call, draft change, publish) writes to an append-only event log. 5-year retention per 40 CFR § 141.155.
Certifications on the roadmap.
SOC 2 Type I — in progress (target Q3 2026)
We’re in the audit-readiness phase with our auditor. Type I report targeted for Q3 2026; Type II follow-up 12 months later. Happy to share our current SOC 2 readiness memo with procurement teams under NDA — email security@1water.ai.
Annual penetration test
Every year we commission an independent application penetration test. The most recent report is available to Pro and Full Service customers under NDA.
BAAs for HIPAA-adjacent workflows
Most CCR data is public-facing. For utility workflows that touch HIPAA-adjacent records (certain public education campaigns on Lead and Copper), we’re prepared to sign a BAA.
Reporting a vulnerability.
Email security@1water.ai with a clear reproduction case. We triage within one business day. Good-faith research under our safe-harbor (no data exfiltration, no destructive testing, no abuse of other tenants) is welcome and will not result in legal action.
We publicly credit responsible disclosures in the changelog when the reporter consents.
Procurement-grade compliance.
60-day free trial. No credit card. Your trial becomes your first published CCR.