Trust and Security

How your data is isolated

Materials Prep is multi-tenant. Every lab's data lives in the same Postgres database alongside other labs, but is isolated by row-level security policies enforced inside the database itself. Each row in every domain table carries alab_idand anorg_id, and Postgres rejects any read or write that does not match the signed-in user's lab and organization memberships.

This is the same enforcement boundary regardless of whether the request comes from our web app, a future API, or, in the event of a bug in our application code, a misrouted query. Authorization is not implemented at the application layer alone; it is implemented in the database.

Shareable content like recipes, atlas entries, and studies has an explicit visibility scope, private, lab, org, or global, that you set when you create the record. Nothing leaves your lab's scope unless you intentionally widen the scope.

Access control inside your lab

Each lab has three roles:

• Admin: can invite and remove members, configure the lab, and read and write all lab data.
• Technician: can create and edit samples, prep work, recipes, and atlas entries.
• Viewer: read-only. Mutating actions are rejected explicitly, both at the application layer and by the database's row-level security policies.

Members are added by invitation only. Invites are tokenized, single-use, and tied to a specific lab; they cannot be replayed across labs.

Organizations group multiple labs (for example, several site labs under the same company). Cross-lab access requires explicit organization membership and an appropriate role; it is not granted automatically.

Authentication

Authentication is handled by Supabase Auth. Sessions are managed with HttpOnly, Secure cookies. Passwords, when used, are stored hashed; we never store plaintext passwords and cannot retrieve them. Sign-in events and other security- relevant events are logged in the audit log.

Sign-in methods. Email + password, magic-link email, and OAuth via Google or Microsoft are available on every plan. Each method is recorded in the audit log with the originating IP and user-agent.

Domain-bound SSO. Organizations on Multi-Lab and above can claim email domains they own (e.g. acme.com). When a new user signs in via Google or Microsoft with an address at a claimed domain, they're auto-added to that organization as a viewer in the earliest-created lab. Org admins can promote them from there. Public providers (gmail.com, outlook.com, ...) cannot be claimed. Releasing a claim stops new auto-joins; existing members keep their access.

Not yet supported. SAML / custom IdPs, SCIM provisioning, and JIT role assignment by IdP group. SCIM in particular is on the roadmap for the Unlimited tier; reach out if your procurement requires it before evaluation.

Encryption

All traffic between your browser and Materials Prep is protected by TLS. The application is served over HTTPS only.

Database storage and file storage are encrypted at rest by our infrastructure providers using industry-standard symmetric encryption. Backups inherit the same at-rest encryption.

Images and files

Micrographs, journal photos, and report PDFs live in private Supabase Storage buckets. They are not publicly listable and not publicly readable. The application generates short-lived signed URLs on demand to display images to authorized users in your lab; those URLs expire and cannot be reused indefinitely.

Storage paths are scoped by organization and lab, and bucket policies enforce the same membership checks as database row-level security.

Audit logging

Materials Prep maintains an append-only audit log, accessible to organization admins from Organization settings → Audit log. The log captures lifecycle events across the data your lab relies on, plus the security and configuration events an auditor typically asks about.

What is captured. Auth events (sign-in success, sign-out, password change), and create / update / delete events on samples, prep journal steps, sample notes, sample images, recipes, recipe attempts, atlas entries, studies, reports, custom materials and alloys, lab settings (sample ID format), lab memberships, organization settings, and invitations. Each row records the actor, the timestamp, the action, the originating IP and user-agent, and a snapshot of the data before and after the change.

Immutability. The audit table has no INSERT, UPDATE, or DELETE policy for application users. Entries are written by the system at the moment of the change and cannot be edited, backdated, or removed through the application. The data is also encrypted at rest by our infrastructure provider.

Access. The audit log viewer is gated to organization admins. Lab admins of any lab in the organization can also read the log via the database policy. Non-admin members cannot read it.

Retention. Audit log retention is unlimited for paid plans. We do not prune or summarize entries. Org admins can export the full filtered log to CSV at any time, including the actor, IP, user-agent, and full before/after snapshots, for handing to an internal or external auditor.

Known limits. Materials Prep is suitable for ISO 17025 traceability, NADCAP / AS9100 process audits, and most internal QC and university research workflows. We do not currently meet 21 CFR Part 11 strict compliance: the application does not yet support electronic signatures, failed-authentication attempts are not logged, and the audit-log access surface is not itself audited. If your work falls under FDA scope, please reach out before relying on Materials Prep for regulated records.

Soft deletes and recovery

Most records, samples, recipes, studies, atlas entries, etchants, equipment, are soft-deleted. A delete marks the row as removed and hides it from the application; it does not immediately erase the data. This makes accidental deletions recoverable, and it keeps the audit trail complete. Hard deletion of soft-deleted data, on request, is described under “Data deletion” below.

What we do, and don't do, with your data

We do not sell your data. We do not rent it, lease it, or trade it. We do not share your data or your Content with any third party for that third party's own purposes, including advertising, marketing, analytics, or AI model training. We do not use third-party advertising cookies or behavioral trackers.

Pace Technologies Corporation, the company that operates Materials Prep, also makes metallography sample preparation equipment. We may use information about how Materials Prep is used internally to inform Pace Technologies' product development and to decide what guidance or resources might be useful to share with you. That use is internal to Pace Technologies; nothing leaves the company. The full description is in our Privacy Policy.

Subprocessors and where your data lives

Materials Prep is operated from the United States. The following service providers process data on our behalf, under written contract, solely to provide the Service:

• Supabase: managed Postgres database, authentication, and file storage.
• Vercel: application hosting and content delivery.
• Resend: transactional and operational email delivery (sign-in, invitations, account notifications).

Subprocessors are not permitted to use your data for their own purposes. We will update this list as our infrastructure evolves; the categories of permitted recipients (operational providers acting on our behalf) will not change without notice.

Backups and your responsibility

Our database provider performs automated daily backups of the managed Postgres instance, with at-rest encryption applied to backup storage.

That said, automated backups are a recovery tool for operational incidents. They are not a substitute for your own copies of data your lab cannot afford to lose. We recommend that you periodically export data you depend on. The Service is in active development, and as our Privacy Policy states, bugs, regressions, migrations, and outages can result in unintended changes to or loss of Content. Please keep your own copies of work you cannot afford to recreate.

Data export and portability

Your data is yours. On request, we will export your lab's samples, prep work, recipes, etchants, atlas entries, and studies in a machine-readable format (CSV or JSON, depending on the record type), along with the original image files. Email pace@metallographic.com from an account associated with your lab and we will get back to you. Self-serve export is on the roadmap.

Data deletion

You can delete records from inside the application; deleted records are soft-deleted as described above. To request permanent deletion of a lab, an organization, or your account, including the associated images and audit history (subject to what we are required to retain by law), email us at the address above. We will process the request within a reasonable time and confirm when it is complete. Backups and operational logs may persist for additional time after deletion in accordance with their retention schedules.

Active development; honest disclosure

Materials Prep is in active and ongoing development. We ship changes frequently, including changes to the data model. Migrations, regressions, and outages are real possibilities. We are direct about this in our Privacy Policy and we are direct about it here: please keep your own backups of any work you cannot afford to lose.

We would rather be honest about the stage of the product than imply a level of operational maturity we have not earned yet. The trade-off is that you get a tool actually built around metallography, today, while we build out the certifications, redundancy, and tooling that mature SaaS expects.

Compliance posture

We do not currently hold SOC 2, ISO 27001, HIPAA, or FedRAMP attestations. We are a small team and these certifications are a meaningful operational and financial commitment that we will make when our customers need them.

If your procurement or IT review requires one of these, please reach out before assuming the answer is no. We are happy to walk through our controls in detail, sign a mutual NDA, and tell you honestly where we are on the path.

Reporting a vulnerability

If you believe you have found a security issue in Materials Prep, please email pace@metallographic.com with details and steps to reproduce. We commit to acknowledging your report within five business days and to working with you in good faith to investigate and resolve the issue. We do not operate a paid bug bounty at this stage; we will credit researchers who report responsibly, with permission.

Please do not access, modify, or destroy data that is not yours; do not run automated scans that could degrade service for other users; and give us a reasonable window to resolve an issue before disclosing it publicly.

Contact

Pace Technologies Corporation
pace@metallographic.com

For the legal version of how we collect, use, retain, and share information, see our Privacy Policy and Terms.