Security

How ERRA protects your formula data.

Your formulations are trade secrets and your records are regulatory evidence. Everything on this page describes what is built and enforced today — no aspirational claims, no badges we haven't earned.

Tenant isolation, enforced by the database

Each organization's data is isolated with PostgreSQL Row-Level Security. Isolation is enforced at the database level — not by application code remembering to filter. Another tenant's data is invisible to your queries by construction. This is a property of the architecture, not a policy we ask our code to follow.

An audit trail that cannot be edited

Every create, update, and delete on your domain data writes an append-only audit record: who, what, when, and the before-and-after state. The application's database role has no permission to update or delete audit rows — the database itself refuses. Label exports are recorded too: who downloaded which panel version, and when.

Approved formula versions are immutable

Once a formula version is approved, it cannot be modified — enforced by database triggers, not just application rules. Reformulation creates a new version; the approved record is preserved exactly as it was. A label PDF can only be generated from an approved, immutable version.

Role-based permissions on every action

Every action in ERRA is checked against the user's role — viewing, editing, approving, and exporting are separate permissions. Approvals require a named human decision, recorded in the audit trail. Passwords are hashed, never stored in plaintext.

Tested against reality

ERRA's regulatory engine is covered by more than 600 automated tests, including validation of generated Supplement Facts panels against real printed labels. The test suite runs on every change before it can ship. If a generated value ever disagrees with a verified label, we treat it as a release-blocking bug.

Deterministic math — no AI in regulatory calculations

ERRA uses no AI in the product today. Panel values, %DV rounding, allergen derivation, and cost calculations are deterministic, CFR-cited code — auditable and reproducible. Any AI we add is on the roadmap and will be limited to data-entry assistance (CSV column mapping, ingredient suggestions) and nothing else: no AI output will reach a label without your explicit confirmation, and your formula data will never be used to train third-party AI models.

Encryption

Your data is encrypted at rest and in transit. Storage encryption is provided by AWS database and object storage encryption; all connections use TLS. Credentials and secrets are stored in AWS Secrets Manager — never in application code.

Data ownership and portability

You own your data. CSV export of your ingredients, formulas, products, and suppliers is available at any time. If you leave ERRA, your data leaves with you.

Infrastructure

ERRA runs on AWS in the United States: Aurora Serverless v2 (PostgreSQL), Lambda, S3, CloudFront, and Secrets Manager, with automated backups via Aurora point-in-time recovery. Deployments run through CI with no long-lived cloud credentials. A subprocessor list is available on request at security@goerra.com.

Certifications — what we do and don't have

ERRA does not currently hold SOC 2 or ISO 27001 certification, and we won't imply otherwise. What we offer instead is verifiable architecture: the isolation, audit, and immutability guarantees above are enforced by the database and demonstrated in our automated test suite. We're happy to walk your team through the security architecture on a call or complete your security questionnaire — contact security@goerra.com.

For your QA team

Responsible disclosure

If you discover a security concern, contact security@goerra.com. We take every report seriously and will respond within 48 hours.