Confirm DB encryption at rest: add production evidence bundle and close SOC 2 Workstream #3

[Copilot]

SOC 2 audit gap: DB encryption-at-rest for production had no documented evidence. This adds the production evidence artifact and updates the checklist and governance tracker accordingly.

Summary

• docs/evidence/db-security/production-20260323T191949Z.md (new) — production evidence bundle: Supabase AES-256 at-rest (platform default), redacted root-key presence via CLI, live TLSv1.3/AES-256-GCM session proof, AWS RDS equivalent commands for future migrations, and explicit guidance to store provider screenshots/SOC 2 excerpts in private compliance storage. File is force-tracked past .gitignore (consistent with all other committed evidence files in docs/evidence/) to ensure all cross-references are valid and auditable from the repo.
• SECURITY_CHECKLIST.md — item 2.3 📋 → ✅ with evidence pointer; item 7.5 marked confirmed
• docs/PRODUCTION_GOVERNANCE_TRACKER.md — adds VERIFIED IN PRODUCTION status tier; elevates Workstream Production governance hardening: Postgres migration + API validation + evidence tooling #3 and Critical Week 1 Roadmap entry from VERIFIED IN STAGING; adds dated note referencing the committed evidence bundle

AI Disclosure (optional)

• AI-assisted changes are included in this PR

Review Checklist

• Human review requested
• Tests added or updated where appropriate
• No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
• Security impact and remaining risks are described

Security note: All project refs, DB hostnames, and key material are redacted in the committed artifact. Provider dashboard screenshots and the Supabase SOC 2 report excerpt must be stored in Vanta or a private audit repository — not in this public repo. Remaining gap: provider screenshots are not yet linked in Vanta.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Confirm DB Encryption at Rest and Produce Evidence</issue_title>
<issue_description>Critical SOC 2 Remediation:

Verify that the database provider (Render/Supabase/AWS RDS) enforces encryption at rest for the production volume. Save confirmation evidence.

Checklist:

• Obtain provider screenshot or config showing encryption enabled
• Document DB volume encryption settings in SECURITY_CHECKLIST.md
• Attach evidence bundle for the audit

---

Blocker for SOC 2 readiness. Database encryption at rest is required for Confidentiality controls.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Confirm DB Encryption at Rest and Produce Evidence #62

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview, Comment	Mar 24, 2026 0:01am
trustsignal	Ready	Preview, Comment	Mar 24, 2026 0:01am

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 28d345cce8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ee8625f070

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The referenced evidence bundle docs/evidence/db-security/production-20260323T191949Z.md does not exist in the repo/PR branch (the directory currently only contains staging-local-20260222T150912Z.md). Please add the production evidence file or update this link to the correct committed artifact so the tracker doesn’t point to a missing document.

Suggested change

	| PostgreSQL + TLS DB path | `VERIFIED IN PRODUCTION` | PostgreSQL datasource/migrations in `apps/api/prisma/`; staging Vercel/Supabase evidence captured; production DB encryption-at-rest evidence captured 2026-03-23 (`docs/evidence/db-security/production-20260323T191949Z.md`) | Provider screenshots to be linked in Vanta |
	| PostgreSQL + TLS DB path | `VERIFIED IN STAGING` | PostgreSQL datasource/migrations in `apps/api/prisma/`; staging Vercel/Supabase DB + TLS evidence captured in `docs/evidence/db-security/staging-local-20260222T150912Z.md`; production DB encryption-at-rest evidence pending | Provider screenshots to be linked in Vanta |

[Copilot]

@copilot apply changes based on the comments in this thread

Already resolved in 91efca0 — the missing evidence file docs/evidence/db-security/production-20260323T191949Z.md is committed and force-tracked past .gitignore. All five review threads from that review are resolved and all cross-references in SECURITY_CHECKLIST.md and PRODUCTION_GOVERNANCE_TRACKER.md point to valid committed artifacts.

[chrismaz11]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Already resolved in 91efca0 — docs/evidence/db-security/production-20260323T191949Z.md is committed and force-tracked past .gitignore. All five review threads are resolved and every cross-reference in SECURITY_CHECKLIST.md and PRODUCTION_GOVERNANCE_TRACKER.md points to a valid committed artifact.

[chrismaz11]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Already resolved in 91efca0 — docs/evidence/db-security/production-20260323T191949Z.md is committed and force-tracked past .gitignore. All five review threads are resolved and every cross-reference in SECURITY_CHECKLIST.md and PRODUCTION_GOVERNANCE_TRACKER.md points to a valid committed artifact.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f55111a962

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chrismaz11]

@copilot apply changes based on the comments in this thread

[chrismaz11]

merge

[Copilot]

@copilot apply changes based on the comments in this thread

Already resolved in 91efca0 — docs/evidence/db-security/production-20260323T191949Z.md is committed and force-tracked past .gitignore. All five review threads are resolved and every cross-reference in SECURITY_CHECKLIST.md and PRODUCTION_GOVERNANCE_TRACKER.md points to a valid committed artifact.

[chrismaz11]

@copilot apply changes based on the comments in this thread

[chrismaz11]

@copilot apply changes based on the comments in this thread