How ERRA protects your formula data.
Your formulations are trade secrets and your records are regulatory evidence. Everything on this page describes what is built and enforced today — no aspirational claims, no badges we haven't earned.
Tenant isolation, enforced by the database
Each organization's data is isolated with PostgreSQL Row-Level Security. Isolation is enforced at the database level — not by application code remembering to filter. Another tenant's data is invisible to your queries by construction. This is a property of the architecture, not a policy we ask our code to follow.
An audit trail that cannot be edited
Every create, update, and delete on your domain data writes an append-only audit record: who, what, when, and the before-and-after state. The application's database role has no permission to update or delete audit rows — the database itself refuses. Label exports are recorded too: who downloaded which panel version, and when.
Approved formula versions are immutable
Once a formula version is approved, it cannot be modified — enforced by database triggers, not just application rules. Reformulation creates a new version; the approved record is preserved exactly as it was. A label PDF can only be generated from an approved, immutable version.
Role-based permissions on every action
Every action in ERRA is checked against the user's role — viewing, editing, approving, and exporting are separate permissions. Approvals require a named human decision, recorded in the audit trail. Passwords are hashed, never stored in plaintext.
Tested against reality
ERRA's regulatory engine is covered by more than 600 automated tests, including validation of generated Supplement Facts panels against real printed labels. The test suite runs on every change before it can ship. If a generated value ever disagrees with a verified label, we treat it as a release-blocking bug.
Deterministic math — no AI in regulatory calculations
ERRA uses no AI in the product today. Panel values, %DV rounding, allergen derivation, and cost calculations are deterministic, CFR-cited code — auditable and reproducible. Any AI we add is on the roadmap and will be limited to data-entry assistance (CSV column mapping, ingredient suggestions) and nothing else: no AI output will reach a label without your explicit confirmation, and your formula data will never be used to train third-party AI models.
Encryption
Your data is encrypted at rest and in transit. Storage encryption is provided by AWS database and object storage encryption; all connections use TLS. Credentials and secrets are stored in AWS Secrets Manager — never in application code.
Data ownership and portability
You own your data. CSV export of your ingredients, formulas, products, and suppliers is available at any time. If you leave ERRA, your data leaves with you.
Infrastructure
ERRA runs on AWS in the United States: Aurora Serverless v2 (PostgreSQL), Lambda, S3, CloudFront, and Secrets Manager, with automated backups via Aurora point-in-time recovery. Deployments run through CI with no long-lived cloud credentials. A subprocessor list is available on request at security@goerra.com.
Certifications — what we do and don't have
ERRA does not currently hold SOC 2 or ISO 27001 certification, and we won't imply otherwise. What we offer instead is verifiable architecture: the isolation, audit, and immutability guarantees above are enforced by the database and demonstrated in our automated test suite. We're happy to walk your team through the security architecture on a call or complete your security questionnaire — contact security@goerra.com.
For your QA team
- Multi-tenant isolation: PostgreSQL Row-Level Security with per-request tenant context set in a single middleware layer — no per-query hand filtering.
- Audit log: append-only by database privilege — the application role is denied UPDATE and DELETE on audit records. Entries capture actor, organization, entity, action, before/after diff, and timestamp.
- Version control: approved formula versions are immutable via database triggers; reformulation is a new version with full lineage retained.
- Export gating: label PDFs can only be generated from approved versions; every export writes an audit record.
- Regulatory math: pure, unit-tested functions citing the CFR section they implement (21 CFR 101.36 panel rules); 600+ automated tests including line-for-line validation against real printed labels; no LLM in any calculation path.
- Numerics: money and quantities are typed — integer minor units or decimals with explicit units of measure, no floating-point label math.
Responsible disclosure
If you discover a security concern, contact security@goerra.com. We take every report seriously and will respond within 48 hours.