Security overview
Schedule data is commercially sensitive. P6 Schedule Analyzer is designed with multi-tenant isolation and authenticated access from day one.
JWT-authenticated API
Every request to the P6 backend requires a valid Supabase JWT. There is no unauthenticated access to schedule data. Tokens are verified on every API call under /api/v1/*.
User-scoped isolation
Cache entries, snapshots, and project data are scoped to your user ID. Other accounts cannot access your schedules, analysis results, or exported files.
In-memory processing
Uploaded XER files are parsed in memory with a 60-minute TTL. Durable snapshots are stored in your own Supabase project with row-level security enforced by user ID.
Controlled schedule edits
All destructive operations (batch updates, relationship changes) require explicit user approval before execution. Every approved mutation automatically creates a snapshot so you can review or revert changes.
Data storage
Account details, uploaded XER files, generated snapshots, and conversation history are stored to provide the analysis service. Supabase row-level security ensures data is only accessible to the owning user.
AI & tooling processing
Uploaded XER data and generated snapshots may be processed by AI models and automated tooling to provide analysis, health checks, and recommendations. This processing is integral to the service.
Beta data handling
P6 Schedule Analyzer is currently in beta. While we take security seriously, we recommend users avoid uploading confidential or contractually sensitive project data unless comfortable with the beta environment. We do not currently hold SOC 2, ISO 27001, or equivalent certifications. Data retention and deletion policies may evolve as the product matures.
Questions about security? Get in touch.