Security and Data Handling in Sophic

sophic-support-kbSophicUpdated Jun 5, 2026

Security and Data Handling in Sophic

Sophic is built to keep your team's operational knowledge private and scoped to the people who should see it. This article explains how we store, isolate, and protect your data.

Workspace isolation and row-level security

Sophic runs on Supabase (PostgreSQL) with row-level security enabled. Every query is scoped to a single workspace, so one workspace can never read another's documents, captures, or settings. Each workspace isolates its own data end to end.

Folder visibility and roles

Within a workspace, access is gated by folder visibility tiers:

Workspace — every member of the workspace can see the folder.
Role — only members at or above a required role can see the folder.

Workspace roles, from highest to lowest, are owner, admin, editor, viewer, and agent-only. Members are invited by email and assigned a role, and teams let you group members together. This lets admins keep sensitive runbooks visible only to the right people.

Credentials: hashed, revocable, expirable

Personal Access Tokens (PATs) and workspace API keys are never stored in plaintext. Sophic keeps only a SHA-256 hash of each credential, and every credential can be revoked or set to expire.

API keys also carry:

Action scopes — read, capture, or admin.
A folder-visibility role — admin, editor, viewer, or agent-only.
An optional expiry.

Workspace owners and admins create API keys in workspace settings. Read endpoints only return documents that live in workspace-visible folders.

Locally, the CLI stores your PAT and workspace list in ~/.sophic/config.json with 0600 file permissions (readable only by you):

sophic login

Encrypted Slack tokens

When you connect Slack via OAuth, the resulting Slack access tokens are encrypted at rest. Slack integration is available on the Basic plan and higher.

Soft deletes preserve history

Deletes in Sophic are soft deletes — records are marked with a deleted_at timestamp rather than being immediately erased. This preserves history so knowledge isn't lost to an accidental removal.

Where embeddings and vectors live

Documents are split into hierarchical sections and embedded using Google's gemini-embedding-001 model (768 dimensions). The resulting vectors are stored in a pgvector store and power semantic search, under the same workspace scoping and row-level security as the rest of your data.

FAQ

Are my API keys recoverable if I lose them?
No. Because Sophic stores only a SHA-256 hash, the original key cannot be shown again after creation. Create a new key and revoke the old one.

Can a leaked read-only API key expose private folders?
No. Read endpoints only return documents in workspace-visible folders, and each key carries its own visibility role and scopes.

What happens to a document when I delete it?
It is soft-deleted with a deleted_at marker so history is preserved, rather than being permanently destroyed on the spot.

How do I limit how long a credential is valid?
Set an optional expiry when creating an API key, and revoke any credential at any time from workspace settings.