Every output movó produces is traceable.

Customer data lives in a single managed relational database with native support for vector embeddings. The database is a hosted managed service. Row-level security policies are required on every table — no table ships without an org_id scope.

movó operates as a non-PHI service from day one. A Business Associate Agreement is available on the Team tier for customers who need to bring PHI into scope.

Every output carries an inputHash (SHA-256 of the resolved inputs) and an outputHash (SHA-256 of the rendered output). Both are written to an append-only audit table.

Given the same inputs, the same outputs are produced. Buyers can request a replay of any historical record and re-derive the hashes — the audit trail is the proof.

The assistant refuses when it lacks an input it needs, instead of fabricating a plausible answer. Refusals carry a structured reason code that names the exact input the caller needs to supply.

Internal target: refusal rate below 3% of total turns, measured weekly. A higher rate triggers a data-coverage review rather than a relaxation of the discipline.

Tenants are scoped at the database layer by org_id. Row-level security policies on every table reject cross-tenant reads and writes; the service role key never reaches the browser.

A build-time tenancy guard walks the rendered component tree and fails the build if a tenant-rendered file contains a hardcoded customer token without an explicit organization gate. Cross-tenant rendering is prevented by construction, not by review discipline alone.

SOC 2 Type II audit in progress, target completion Q4 2026. GitHub Advanced Security is enabled on the private source repositories. Source maps are disabled in production builds so shipped JavaScript cannot be reversed back to source.

All secrets are stored in provider-managed environment-variable stores, never on disk in the repo. The intelligence that drives movó's outputs runs server-side only; the browser receives results, not methodology.

The frontend, container services, and managed database each run on production-tier hosting with the provider's autoscaling defaults. Daily snapshot backups of the database are taken on every tier.

Point-in-time recovery (PITR) is available on the Team tier and gives customers minute-level restore granularity within the retention window.

External systems movó integrates with today:

• Gmail OAuth — read and send on consented mailboxes.
• Stripe Billing — subscription billing and customer portal.
• ProPublica EIN lookup — public IRS data on US nonprofits.
• Public IRS Form 990 retrieval — public-record financials.

Every integration is read-only against a public or consented source. movó does not scrape authenticated surfaces and does not run requests that violate a third-party terms-of-service.