@trycompai/db 1.3.17 → 1.3.19-canary.3

package/dist/schema.prisma

@@ -14,279 +14,287 @@ datasource db {
 
 // ===== attachments.prisma =====
 model Attachment {
-    id         String               @id @default(dbgenerated("generate_prefixed_cuid('att'::text)"))
-    name       String
-    url        String
-    type       AttachmentType
-    entityId   String
-    entityType AttachmentEntityType
+  id         String               @id @default(dbgenerated("generate_prefixed_cuid('att'::text)"))
+  name       String
+  url        String
+  type       AttachmentType
+  entityId   String
+  entityType AttachmentEntityType
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
 
-    // Relationships
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    comment        Comment?     @relation(fields: [commentId], references: [id])
-    commentId      String?
+  // Relationships
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  comment        Comment?     @relation(fields: [commentId], references: [id])
+  commentId      String?
 
-    @@index([entityId, entityType])
+  @@index([entityId, entityType])
 }
 
 enum AttachmentEntityType {
-    task
-    vendor
-    risk
-    comment
+  task
+  vendor
+  risk
+  comment
+  trust_nda
 }
 
 enum AttachmentType {
-    image
-    video
-    audio
-    document
-    other
+  image
+  video
+  audio
+  document
+  other
 }
 
 
 // ===== auth.prisma =====
 model User {
-    id            String    @id @default(dbgenerated("generate_prefixed_cuid('usr'::text)"))
-    name          String
-    email         String
-    emailVerified Boolean
-    image         String?
-    createdAt     DateTime  @default(now())
-    updatedAt     DateTime  @updatedAt
-    lastLogin     DateTime?
-
-    accounts           Account[]
-    auditLog           AuditLog[]
-    integrationResults IntegrationResult[]
-    invitations        Invitation[]
-    members            Member[]
-    sessions           Session[]
+  id                             String    @id @default(dbgenerated("generate_prefixed_cuid('usr'::text)"))
+  name                           String
+  email                          String
+  emailVerified                  Boolean
+  image                          String?
+  createdAt                      DateTime  @default(now())
+  updatedAt                      DateTime  @updatedAt
+  lastLogin                      DateTime?
+  emailNotificationsUnsubscribed Boolean   @default(false)
+  emailPreferences               Json?     @default("{\"policyNotifications\":true,\"taskReminders\":true,\"weeklyTaskDigest\":true,\"unassignedItemsNotifications\":true}")
+
+  accounts           Account[]
+  auditLog           AuditLog[]
+  integrationResults IntegrationResult[]
+  invitations        Invitation[]
+  members            Member[]
+  sessions           Session[]
 
-    @@unique([email])
+  @@unique([email])
 }
 
 model EmployeeTrainingVideoCompletion {
-    id          String    @id @default(dbgenerated("generate_prefixed_cuid('evc'::text)"))
-    completedAt DateTime?
-    videoId     String
+  id          String    @id @default(dbgenerated("generate_prefixed_cuid('evc'::text)"))
+  completedAt DateTime?
+  videoId     String
 
-    memberId String
-    member   Member @relation(fields: [memberId], references: [id], onDelete: Cascade)
+  memberId String
+  member   Member @relation(fields: [memberId], references: [id], onDelete: Cascade)
 
-    @@unique([memberId, videoId])
-    @@index([memberId])
+  @@unique([memberId, videoId])
+  @@index([memberId])
 }
 
 model Session {
-    id                   String   @id @default(dbgenerated("generate_prefixed_cuid('ses'::text)"))
-    expiresAt            DateTime
-    token                String
-    createdAt            DateTime @default(now())
-    updatedAt            DateTime @updatedAt
-    ipAddress            String?
-    userAgent            String?
-    userId               String
-    activeOrganizationId String?
-    user                 User     @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-    @@unique([token])
+  id                   String   @id @default(dbgenerated("generate_prefixed_cuid('ses'::text)"))
+  expiresAt            DateTime
+  token                String
+  createdAt            DateTime @default(now())
+  updatedAt            DateTime @updatedAt
+  ipAddress            String?
+  userAgent            String?
+  userId               String
+  activeOrganizationId String?
+  user                 User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([token])
 }
 
 model Account {
-    id                    String    @id @default(dbgenerated("generate_prefixed_cuid('acc'::text)"))
-    accountId             String
-    providerId            String
-    userId                String
-    user                  User      @relation(fields: [userId], references: [id], onDelete: Cascade)
-    accessToken           String?
-    refreshToken          String?
-    idToken               String?
-    accessTokenExpiresAt  DateTime?
-    refreshTokenExpiresAt DateTime?
-    scope                 String?
-    password              String?
-    createdAt             DateTime
-    updatedAt             DateTime
+  id                    String    @id @default(dbgenerated("generate_prefixed_cuid('acc'::text)"))
+  accountId             String
+  providerId            String
+  userId                String
+  user                  User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+  accessToken           String?
+  refreshToken          String?
+  idToken               String?
+  accessTokenExpiresAt  DateTime?
+  refreshTokenExpiresAt DateTime?
+  scope                 String?
+  password              String?
+  createdAt             DateTime
+  updatedAt             DateTime
 }
 
 model Verification {
-    id         String   @id @default(dbgenerated("generate_prefixed_cuid('ver'::text)"))
-    identifier String
-    value      String
-    expiresAt  DateTime
-    createdAt  DateTime @default(now())
-    updatedAt  DateTime @updatedAt
+  id         String   @id @default(dbgenerated("generate_prefixed_cuid('ver'::text)"))
+  identifier String
+  value      String
+  expiresAt  DateTime
+  createdAt  DateTime @default(now())
+  updatedAt  DateTime @updatedAt
 }
 
 // JWT Plugin - Required by Better Auth JWT plugin
 // https://www.better-auth.com/docs/plugins/jwt
 model Jwks {
-    id         String   @id @default(dbgenerated("generate_prefixed_cuid('jwk'::text)"))
-    publicKey  String
-    privateKey String
-    createdAt  DateTime @default(now())
+  id         String   @id @default(dbgenerated("generate_prefixed_cuid('jwk'::text)"))
+  publicKey  String
+  privateKey String
+  createdAt  DateTime @default(now())
 
-    @@map("jwks")
+  @@map("jwks")
 }
 
 model Member {
-    id             String       @id @default(dbgenerated("generate_prefixed_cuid('mem'::text)"))
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    userId         String
-    user           User         @relation(fields: [userId], references: [id], onDelete: Cascade)
-    role           String // Purposefully a string, since BetterAuth doesn't support enums this way
-    createdAt      DateTime     @default(now())
-
-    department                      Departments                       @default(none)
-    isActive                        Boolean                           @default(true)
-    deactivated                     Boolean                           @default(false)
-    employeeTrainingVideoCompletion EmployeeTrainingVideoCompletion[]
-    fleetDmLabelId                  Int?
-
-    assignedPolicies Policy[]   @relation("PolicyAssignee") // Policies where this member is an assignee
-    approvedPolicies Policy[]   @relation("PolicyApprover") // Policies where this member is an approver
-    risks            Risk[]
-    tasks            Task[]
-    vendors          Vendor[]
-    comments         Comment[]
-    auditLogs        AuditLog[]
+  id             String       @id @default(dbgenerated("generate_prefixed_cuid('mem'::text)"))
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  userId         String
+  user           User         @relation(fields: [userId], references: [id], onDelete: Cascade)
+  role           String // Purposefully a string, since BetterAuth doesn't support enums this way
+  createdAt      DateTime     @default(now())
+
+  department                      Departments                       @default(none)
+  isActive                        Boolean                           @default(true)
+  deactivated                     Boolean                           @default(false)
+  employeeTrainingVideoCompletion EmployeeTrainingVideoCompletion[]
+  fleetDmLabelId                  Int?
+
+  assignedPolicies       Policy[]             @relation("PolicyAssignee") // Policies where this member is an assignee
+  approvedPolicies       Policy[]             @relation("PolicyApprover") // Policies where this member is an approver
+  approvedSOADocuments   SOADocument[]        @relation("SOADocumentApprover") // SOA documents where this member is an approver
+  risks                  Risk[]
+  tasks                  Task[]
+  vendors                Vendor[]
+  comments               Comment[]
+  auditLogs              AuditLog[]
+  reviewedAccessRequests TrustAccessRequest[] @relation("TrustAccessRequestReviewer")
+  issuedGrants           TrustAccessGrant[]   @relation("IssuedGrants")
+  revokedGrants          TrustAccessGrant[]   @relation("RevokedGrants")
 }
 
 model Invitation {
-    id             String       @id @default(dbgenerated("generate_prefixed_cuid('inv'::text)"))
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    email          String
-    role           String // Purposefully a string, since BetterAuth doesn't support enums this way
-    status         String
-    expiresAt      DateTime
-    inviterId      String
-    user           User         @relation(fields: [inviterId], references: [id], onDelete: Cascade)
+  id             String       @id @default(dbgenerated("generate_prefixed_cuid('inv'::text)"))
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  email          String
+  role           String // Purposefully a string, since BetterAuth doesn't support enums this way
+  status         String
+  expiresAt      DateTime
+  inviterId      String
+  user           User         @relation(fields: [inviterId], references: [id], onDelete: Cascade)
+  createdAt      DateTime     @default(now())
 }
 
 // This is only for the app to consume, shouldn't be enforced by DB
 // Otherwise it won't work with Better Auth, as per https://www.better-auth.com/docs/plugins/organization#access-control
 enum Role {
-    owner
-    admin
-    auditor
-    employee
-    contractor
+  owner
+  admin
+  auditor
+  employee
+  contractor
 }
 
 enum PolicyStatus {
-    draft
-    published
-    needs_review
+  draft
+  published
+  needs_review
 }
 
 
 // ===== automation-run.prisma =====
 model EvidenceAutomationRun {
-    id        String   @id @default(dbgenerated("generate_prefixed_cuid('ear'::text)"))
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-
-    // Relations
-    evidenceAutomationId String
-    evidenceAutomation   EvidenceAutomation @relation(fields: [evidenceAutomationId], references: [id], onDelete: Cascade)
-
-    // Run details
-    status      EvidenceAutomationRunStatus @default(pending)
-    startedAt   DateTime?
-    completedAt DateTime?
-
-    // Results
-    success Boolean?
-    error   String?
-    logs    Json?
-    output  Json?
-
-    // Evaluation
-    evaluationStatus EvidenceAutomationEvaluationStatus?
-    evaluationReason String?
-
-    // Metadata
-    triggeredBy EvidenceAutomationTrigger @default(scheduled)
-    runDuration Int? // in milliseconds
-    version     Int? // Version number that was executed (null = draft)
-    Task        Task?                     @relation(fields: [taskId], references: [id])
-    taskId      String?
-
-    @@index([evidenceAutomationId])
-    @@index([status])
-    @@index([createdAt])
-    @@index([version])
+  id        String   @id @default(dbgenerated("generate_prefixed_cuid('ear'::text)"))
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relations
+  evidenceAutomationId String
+  evidenceAutomation   EvidenceAutomation @relation(fields: [evidenceAutomationId], references: [id], onDelete: Cascade)
+
+  // Run details
+  status      EvidenceAutomationRunStatus @default(pending)
+  startedAt   DateTime?
+  completedAt DateTime?
+
+  // Results
+  success Boolean?
+  error   String?
+  logs    Json?
+  output  Json?
+
+  // Evaluation
+  evaluationStatus EvidenceAutomationEvaluationStatus?
+  evaluationReason String?
+
+  // Metadata
+  triggeredBy EvidenceAutomationTrigger @default(scheduled)
+  runDuration Int? // in milliseconds
+  version     Int? // Version number that was executed (null = draft)
+  Task        Task?                     @relation(fields: [taskId], references: [id])
+  taskId      String?
+
+  @@index([evidenceAutomationId])
+  @@index([status])
+  @@index([createdAt])
+  @@index([version])
 }
 
 enum EvidenceAutomationRunStatus {
-    pending
-    running
-    completed
-    failed
-    cancelled
+  pending
+  running
+  completed
+  failed
+  cancelled
 }
 
 enum EvidenceAutomationTrigger {
-    manual
-    scheduled
-    api
+  manual
+  scheduled
+  api
 }
 
 enum EvidenceAutomationEvaluationStatus {
-    pass
-    fail
+  pass
+  fail
 }
 
 
 // ===== automation-version.prisma =====
 model EvidenceAutomationVersion {
-    id        String   @id @default(dbgenerated("generate_prefixed_cuid('eav'::text)"))
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  id        String   @id @default(dbgenerated("generate_prefixed_cuid('eav'::text)"))
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
 
-    // Relations
-    evidenceAutomationId String
-    evidenceAutomation   EvidenceAutomation @relation(fields: [evidenceAutomationId], references: [id], onDelete: Cascade)
+  // Relations
+  evidenceAutomationId String
+  evidenceAutomation   EvidenceAutomation @relation(fields: [evidenceAutomationId], references: [id], onDelete: Cascade)
 
-    // Version details
-    version     Int // Sequential version number (1, 2, 3...)
-    scriptKey   String // S3 key for this version's script
-    publishedBy String? // User ID who published
-    changelog   String? // Optional description of changes
+  // Version details
+  version     Int // Sequential version number (1, 2, 3...)
+  scriptKey   String // S3 key for this version's script
+  publishedBy String? // User ID who published
+  changelog   String? // Optional description of changes
 
-    @@unique([evidenceAutomationId, version])
-    @@index([evidenceAutomationId])
-    @@index([createdAt])
+  @@unique([evidenceAutomationId, version])
+  @@index([evidenceAutomationId])
+  @@index([createdAt])
 }
 
 
 // ===== automation.prisma =====
 model EvidenceAutomation {
-    id          String   @id @default(dbgenerated("generate_prefixed_cuid('aut'::text)"))
-    name        String
-    description String?
-    createdAt   DateTime @default(now())
-    isEnabled   Boolean  @default(false)
+  id          String   @id @default(dbgenerated("generate_prefixed_cuid('aut'::text)"))
+  name        String
+  description String?
+  createdAt   DateTime @default(now())
+  isEnabled   Boolean  @default(false)
 
-    chatHistory        String?
-    evaluationCriteria String?
+  chatHistory        String?
+  evaluationCriteria String?
 
-    taskId String
-    task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
+  taskId String
+  task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
 
-    // Relations
-    runs     EvidenceAutomationRun[]
-    versions EvidenceAutomationVersion[]
+  // Relations
+  runs     EvidenceAutomationRun[]
+  versions EvidenceAutomationVersion[]
 
-    @@index([taskId])
+  @@index([taskId])
 }
 
 
@@ -322,22 +330,22 @@ enum CommentEntityType {
 
 // ===== context.prisma =====
 model Context {
-    id             String       @id @default(dbgenerated("generate_prefixed_cuid('ctx'::text)"))
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  id             String       @id @default(dbgenerated("generate_prefixed_cuid('ctx'::text)"))
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
 
-    question String
-    answer   String
+  question String
+  answer   String
 
-    tags String[]
+  tags String[]
 
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
 
-    @@index([organizationId])
-    @@index([question])
-    @@index([answer])
-    @@index([tags])
+  @@index([organizationId])
+  @@index([question])
+  @@index([answer])
+  @@index([tags])
 }
 
 
@@ -368,99 +376,101 @@ model Control {
 // ===== framework-editor.prisma =====
 // --- Data for Framework Editor ---
 model FrameworkEditorVideo {
-    id          String @id @default(dbgenerated("generate_prefixed_cuid('frk_vi'::text)"))
-    title       String
-    description String
-    youtubeId   String
-    url         String
+  id          String @id @default(dbgenerated("generate_prefixed_cuid('frk_vi'::text)"))
+  title       String
+  description String
+  youtubeId   String
+  url         String
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @default(now()) @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
 }
 
 model FrameworkEditorFramework {
-    id          String  @id @default(dbgenerated("generate_prefixed_cuid('frk'::text)"))
-    name        String // e.g., "soc2", "iso27001"
-    version     String
-    description String
-    visible     Boolean @default(false)
+  id          String  @id @default(dbgenerated("generate_prefixed_cuid('frk'::text)"))
+  name        String // e.g., "soc2", "iso27001"
+  version     String
+  description String
+  visible     Boolean @default(false)
 
-    requirements       FrameworkEditorRequirement[]
-    frameworkInstances FrameworkInstance[]
+  requirements       FrameworkEditorRequirement[]
+  frameworkInstances FrameworkInstance[]
+  soaConfigurations  SOAFrameworkConfiguration[] // Multiple SOA config versions per framework
+  soaDocuments       SOADocument[] // SOA documents from organizations
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @default(now()) @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
 }
 
 model FrameworkEditorRequirement {
-    id          String                   @id @default(dbgenerated("generate_prefixed_cuid('frk_rq'::text)"))
-    frameworkId String
-    framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id])
+  id          String                   @id @default(dbgenerated("generate_prefixed_cuid('frk_rq'::text)"))
+  frameworkId String
+  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id])
 
-    name        String // Original requirement ID within that framework, e.g., "Privacy"
-    identifier  String @default("") // Unique identifier for the requirement, e.g., "cc1-1"
-    description String
+  name        String // Original requirement ID within that framework, e.g., "Privacy"
+  identifier  String @default("") // Unique identifier for the requirement, e.g., "cc1-1"
+  description String
 
-    controlTemplates FrameworkEditorControlTemplate[]
-    requirementMaps  RequirementMap[]
+  controlTemplates FrameworkEditorControlTemplate[]
+  requirementMaps  RequirementMap[]
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @default(now()) @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
 }
 
 model FrameworkEditorPolicyTemplate {
-    id          String      @id @default(dbgenerated("generate_prefixed_cuid('frk_pt'::text)"))
-    name        String
-    description String
-    frequency   Frequency // Using the enum from shared.prisma
-    department  Departments // Using the enum from shared.prisma
-    content     Json
+  id          String      @id @default(dbgenerated("generate_prefixed_cuid('frk_pt'::text)"))
+  name        String
+  description String
+  frequency   Frequency // Using the enum from shared.prisma
+  department  Departments // Using the enum from shared.prisma
+  content     Json
 
-    controlTemplates FrameworkEditorControlTemplate[]
+  controlTemplates FrameworkEditorControlTemplate[]
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @default(now()) @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
 
-    // Instances
-    policies Policy[]
+  // Instances
+  policies Policy[]
 }
 
 model FrameworkEditorTaskTemplate {
-    id          String      @id @default(dbgenerated("generate_prefixed_cuid('frk_tt'::text)"))
-    name        String
-    description String
-    frequency   Frequency // Using the enum from shared.prisma
-    department  Departments // Using the enum from shared.prisma
+  id          String      @id @default(dbgenerated("generate_prefixed_cuid('frk_tt'::text)"))
+  name        String
+  description String
+  frequency   Frequency // Using the enum from shared.prisma
+  department  Departments // Using the enum from shared.prisma
 
-    controlTemplates FrameworkEditorControlTemplate[]
+  controlTemplates FrameworkEditorControlTemplate[]
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @default(now()) @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
 
-    // Instances
-    tasks Task[]
+  // Instances
+  tasks Task[]
 }
 
 model FrameworkEditorControlTemplate {
-    id          String @id @default(dbgenerated("generate_prefixed_cuid('frk_ct'::text)"))
-    name        String
-    description String
+  id          String @id @default(dbgenerated("generate_prefixed_cuid('frk_ct'::text)"))
+  name        String
+  description String
 
-    policyTemplates FrameworkEditorPolicyTemplate[]
-    requirements    FrameworkEditorRequirement[]
-    taskTemplates   FrameworkEditorTaskTemplate[]
+  policyTemplates FrameworkEditorPolicyTemplate[]
+  requirements    FrameworkEditorRequirement[]
+  taskTemplates   FrameworkEditorTaskTemplate[]
 
-    // Dates
-    createdAt DateTime @default(now())
-    updatedAt DateTime @default(now()) @updatedAt
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
 
-    // Instances
-    controls Control[]
+  // Instances
+  controls Control[]
 }
 
 
@@ -516,24 +526,58 @@ model IntegrationResult {
 }
 
 
+// ===== knowledge-base-document.prisma =====
+model KnowledgeBaseDocument {
+  id               String                                @id @default(dbgenerated("generate_prefixed_cuid('kbd'::text)"))
+  name             String // Original filename
+  description      String? // Optional user description/notes
+  s3Key            String // S3 storage key (e.g., "org123/knowledge-base-documents/timestamp-file.pdf")
+  fileType         String // MIME type (e.g., "application/pdf")
+  fileSize         Int // File size in bytes
+  processingStatus KnowledgeBaseDocumentProcessingStatus @default(pending) // Track indexing status
+  processedAt      DateTime? // When indexing completed
+  triggerRunId     String? // Trigger.dev run ID for tracking processing progress
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relationships
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  @@index([organizationId])
+  @@index([organizationId, processingStatus])
+  @@index([s3Key])
+  @@index([triggerRunId])
+}
+
+enum KnowledgeBaseDocumentProcessingStatus {
+  pending // Uploaded but not yet processed/indexed
+  processing // Currently being processed/indexed
+  completed // Successfully indexed in vector database
+  failed // Processing failed
+}
+
+
 // ===== onboarding.prisma =====
 model Onboarding {
-    organizationId        String       @id
-    organization          Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    policies              Boolean      @default(false)
-    employees             Boolean      @default(false)
-    vendors               Boolean      @default(false)
-    integrations          Boolean      @default(false)
-    risk                  Boolean      @default(false)
-    team                  Boolean      @default(false)
-    tasks                 Boolean      @default(false)
-    callBooked            Boolean      @default(false)
-    companyBookingDetails Json?
-    companyDetails        Json?
-    triggerJobId          String?
-    triggerJobCompleted   Boolean      @default(false)
+  organizationId        String       @id
+  organization          Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  policies              Boolean      @default(false)
+  employees             Boolean      @default(false)
+  vendors               Boolean      @default(false)
+  integrations          Boolean      @default(false)
+  risk                  Boolean      @default(false)
+  team                  Boolean      @default(false)
+  tasks                 Boolean      @default(false)
+  callBooked            Boolean      @default(false)
+  companyBookingDetails Json?
+  companyDetails        Json?
+  triggerJobId          String?
+  triggerJobCompleted   Boolean      @default(false)
 
-    @@index([organizationId])
+  @@index([organizationId])
 }
 
 
@@ -555,23 +599,31 @@ model Organization {
   fleetDmLabelId        Int?
   isFleetSetupCompleted Boolean @default(false)
 
-  apiKeys            ApiKey[]
-  auditLog           AuditLog[]
-  controls           Control[]
-  frameworkInstances FrameworkInstance[]
-  integrations       Integration[]
-  invitations        Invitation[]
-  members            Member[]
-  policy             Policy[]
-  risk               Risk[]
-  vendors            Vendor[]
-  tasks              Task[]
-  comments           Comment[]
-  attachments        Attachment[]
-  trust              Trust[]
-  context            Context[]
-  secrets            Secret[]
-
+  apiKeys                            ApiKey[]
+  auditLog                           AuditLog[]
+  controls                           Control[]
+  frameworkInstances                 FrameworkInstance[]
+  integrations                       Integration[]
+  invitations                        Invitation[]
+  members                            Member[]
+  policy                             Policy[]
+  risk                               Risk[]
+  vendors                            Vendor[]
+  tasks                              Task[]
+  comments                           Comment[]
+  attachments                        Attachment[]
+  trust                              Trust[]
+  context                            Context[]
+  secrets                            Secret[]
+  trustAccessRequests                TrustAccessRequest[]
+  trustNdaAgreements                 TrustNDAAgreement[]
+  trustDocuments                     TrustDocument[]
+  trustResources                     TrustResource[] @relation("OrganizationTrustResources")
+  knowledgeBaseDocuments             KnowledgeBaseDocument[]
+  questionnaires                     Questionnaire[]
+  securityQuestionnaireManualAnswers SecurityQuestionnaireManualAnswer[]
+  soaDocuments                       SOADocument[]
+  primaryColor                       String?
   @@index([slug])
 }
 
@@ -618,21 +670,84 @@ model Policy {
 }
 
 
+// ===== questionnaire.prisma =====
+model Questionnaire {
+  id                String              @id @default(dbgenerated("generate_prefixed_cuid('qst'::text)"))
+  filename          String // Original filename
+  s3Key             String // S3 storage key for the uploaded file
+  fileType          String // MIME type (e.g., "application/pdf")
+  fileSize          Int // File size in bytes
+  status            QuestionnaireStatus @default(parsing) // Parsing status
+  parsedAt          DateTime? // When parsing completed
+  totalQuestions    Int                 @default(0) // Total number of questions parsed
+  answeredQuestions Int                 @default(0) // Number of questions with answers
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relationships
+  organizationId String
+  organization   Organization                        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  questions      QuestionnaireQuestionAnswer[]
+  manualAnswers  SecurityQuestionnaireManualAnswer[] // Manual answers saved from this questionnaire
+
+  @@index([organizationId])
+  @@index([organizationId, createdAt])
+  @@index([status])
+}
+
+model QuestionnaireQuestionAnswer {
+  id            String                    @id @default(dbgenerated("generate_prefixed_cuid('qqa'::text)"))
+  question      String // The question text
+  answer        String? // The answer (nullable if not provided in file or not generated yet)
+  status        QuestionnaireAnswerStatus @default(untouched) // Answer status
+  questionIndex Int // Order/index of the question in the questionnaire
+  sources       Json? // Sources used for generated answers (array of source objects)
+  generatedAt   DateTime? // When answer was generated (if status is generated)
+  updatedBy     String? // User ID who last updated the answer (if manual)
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relationships
+  questionnaireId String
+  questionnaire   Questionnaire @relation(fields: [questionnaireId], references: [id], onDelete: Cascade)
+
+  @@index([questionnaireId])
+  @@index([questionnaireId, questionIndex])
+  @@index([status])
+}
+
+enum QuestionnaireStatus {
+  parsing // Currently being parsed
+  completed // Successfully parsed
+  failed // Parsing failed
+}
+
+enum QuestionnaireAnswerStatus {
+  untouched // No answer yet (empty or not generated)
+  generated // AI generated answer
+  manual // Manually written/edited by user
+}
+
+
 // ===== requirement.prisma =====
 model RequirementMap {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('req'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('req'::text)"))
 
-    requirementId String
-    requirement   FrameworkEditorRequirement @relation(fields: [requirementId], references: [id], onDelete: Cascade)
+  requirementId String
+  requirement   FrameworkEditorRequirement @relation(fields: [requirementId], references: [id], onDelete: Cascade)
 
-    controlId String
-    control   Control @relation(fields: [controlId], references: [id], onDelete: Cascade)
+  controlId String
+  control   Control @relation(fields: [controlId], references: [id], onDelete: Cascade)
 
-    frameworkInstanceId String
-    frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
+  frameworkInstanceId String
+  frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
 
-    @@unique([controlId, frameworkInstanceId, requirementId])
-    @@index([requirementId, frameworkInstanceId])
+  @@unique([controlId, frameworkInstanceId, requirementId])
+  @@index([requirementId, frameworkInstanceId])
 }
 
 
@@ -699,228 +814,569 @@ enum RiskStatus {
 
 // ===== secret.prisma =====
 model Secret {
-    id             String    @id @default(dbgenerated("generate_prefixed_cuid('sec'::text)"))
-    organizationId String    @map("organization_id")
-    name           String
-    value          String    @db.Text // Encrypted value
-    description    String?   @db.Text
-    category       String? // e.g., "api", "webhook", "database", etc.
-    lastUsedAt     DateTime? @map("last_used_at")
-    createdAt      DateTime  @default(now()) @map("created_at")
-    updatedAt      DateTime  @updatedAt @map("updated_at")
+  id             String    @id @default(dbgenerated("generate_prefixed_cuid('sec'::text)"))
+  organizationId String    @map("organization_id")
+  name           String
+  value          String    @db.Text // Encrypted value
+  description    String?   @db.Text
+  category       String? // e.g., "api", "webhook", "database", etc.
+  lastUsedAt     DateTime? @map("last_used_at")
+  createdAt      DateTime  @default(now()) @map("created_at")
+  updatedAt      DateTime  @updatedAt @map("updated_at")
+
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  @@unique([organizationId, name])
+  @@map("secrets")
+}
+
+
+// ===== security-questionnaire-manual-answer.prisma =====
+model SecurityQuestionnaireManualAnswer {
+  id       String   @id @default(dbgenerated("generate_prefixed_cuid('sqma'::text)"))
+  question String // The question text
+  answer   String // The answer text (required for saved answers)
+  tags     String[] @default([]) // Optional tags for categorization
+
+  // Optional reference to original questionnaire (for tracking)
+  sourceQuestionnaireId String?
+  sourceQuestionnaire   Questionnaire? @relation(fields: [sourceQuestionnaireId], references: [id], onDelete: SetNull)
+
+  // User who created/updated this answer
+  createdBy String? // User ID
+  updatedBy String? // User ID
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
 
-    organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  // Relationships
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
 
-    @@unique([organizationId, name])
-    @@map("secrets")
+  @@unique([organizationId, question]) // Prevent duplicate questions per organization
+  @@index([organizationId])
+  @@index([organizationId, question])
+  @@index([tags])
+  @@index([createdAt])
 }
 
 
 // ===== shared.prisma =====
 model ApiKey {
-    id         String    @id @default(dbgenerated("generate_prefixed_cuid('apk'::text)"))
-    name       String
-    key        String    @unique
-    salt       String?
-    createdAt  DateTime  @default(now())
-    expiresAt  DateTime?
-    lastUsedAt DateTime?
-    isActive   Boolean   @default(true)
+  id         String    @id @default(dbgenerated("generate_prefixed_cuid('apk'::text)"))
+  name       String
+  key        String    @unique
+  salt       String?
+  createdAt  DateTime  @default(now())
+  expiresAt  DateTime?
+  lastUsedAt DateTime?
+  isActive   Boolean   @default(true)
 
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organizationId String
 
-    @@index([organizationId])
-    @@index([key])
+  @@index([organizationId])
+  @@index([key])
 }
 
 model AuditLog {
-    id             String              @id @default(dbgenerated("generate_prefixed_cuid('aud'::text)"))
-    timestamp      DateTime            @default(now())
-    organizationId String
-    userId         String
-    memberId       String?
-    data           Json
-    description    String?
-    entityId       String?
-    entityType     AuditLogEntityType?
-
-    organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    user         User         @relation(fields: [userId], references: [id], onDelete: Cascade)
-    member       Member?      @relation(fields: [memberId], references: [id], onDelete: Cascade)
-
-    @@index([userId])
-    @@index([organizationId])
-    @@index([memberId])
-    @@index([entityType])
+  id             String              @id @default(dbgenerated("generate_prefixed_cuid('aud'::text)"))
+  timestamp      DateTime            @default(now())
+  organizationId String
+  userId         String
+  memberId       String?
+  data           Json
+  description    String?
+  entityId       String?
+  entityType     AuditLogEntityType?
+
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  user         User         @relation(fields: [userId], references: [id], onDelete: Cascade)
+  member       Member?      @relation(fields: [memberId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([organizationId])
+  @@index([memberId])
+  @@index([entityType])
 }
 
 enum AuditLogEntityType {
-    organization
-    framework
-    requirement
-    control
-    policy
-    task
-    people
-    risk
-    vendor
-    tests
-    integration
+  organization
+  framework
+  requirement
+  control
+  policy
+  task
+  people
+  risk
+  vendor
+  tests
+  integration
+  trust
 }
 
 model GlobalVendors {
-    website                     String   @id @unique
-    company_name                String?
-    legal_name                  String?
-    company_description         String?
-    company_hq_address          String?
-    privacy_policy_url          String?
-    terms_of_service_url        String?
-    service_level_agreement_url String?
-    security_page_url           String?
-    trust_page_url              String?
-    security_certifications     String[]
-    subprocessors               String[]
-    type_of_company             String?
-
-    approved  Boolean  @default(false)
-    createdAt DateTime @default(now())
-
-    @@index([website])
+  website                     String   @id @unique
+  company_name                String?
+  legal_name                  String?
+  company_description         String?
+  company_hq_address          String?
+  privacy_policy_url          String?
+  terms_of_service_url        String?
+  service_level_agreement_url String?
+  security_page_url           String?
+  trust_page_url              String?
+  security_certifications     String[]
+  subprocessors               String[]
+  type_of_company             String?
+
+  approved  Boolean  @default(false)
+  createdAt DateTime @default(now())
+
+  @@index([website])
 }
 
 enum Departments {
-    none
-    admin
-    gov
-    hr
-    it
-    itsm
-    qms
+  none
+  admin
+  gov
+  hr
+  it
+  itsm
+  qms
 }
 
 enum Frequency {
-    monthly
-    quarterly
-    yearly
+  monthly
+  quarterly
+  yearly
 }
 
 enum Likelihood {
-    very_unlikely
-    unlikely
-    possible
-    likely
-    very_likely
+  very_unlikely
+  unlikely
+  possible
+  likely
+  very_likely
 }
 
 enum Impact {
-    insignificant
-    minor
-    moderate
-    major
-    severe
+  insignificant
+  minor
+  moderate
+  major
+  severe
+}
+
+
+// ===== soa.prisma =====
+// Statement of Applicability (SOA) Auto-complete Configuration and Answers
+
+model SOAFrameworkConfiguration {
+  id          String                   @id @default(dbgenerated("generate_prefixed_cuid('soa_cfg'::text)"))
+  frameworkId String
+  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+
+  // Configuration versioning - allows multiple configurations per framework
+  version  Int     @default(1) // Version number for this configuration (increments when config changes)
+  isLatest Boolean @default(true) // Whether this is the latest configuration version
+
+  // Column definitions for SOA structure (template used when creating new documents)
+  columns Json // Array of { name: string, type: string } objects
+  // Example: [{ name: "Control ID", type: "string" }, { name: "Control Name", type: "string" }, { name: "Applicable", type: "boolean" }, { name: "Justification", type: "text" }]
+
+  // Predefined questions for this framework
+  // Documents reference a specific configuration version via SOADocument.configurationId
+  // Old documents keep their old config version, new documents use new config version
+  questions Json // Array of question objects with unique IDs
+  // Example: [{ id: "A.5.1.1", text: "Is this control applicable?", columnMapping: "Applicable", controlId: "A.5.1.1" }, ...]
+  // IMPORTANT: question.id must be unique and stable - this is what SOAAnswer.questionId references
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relationships
+  documents SOADocument[]
+
+  @@unique([frameworkId, version]) // Prevent duplicate configuration versions
+  @@index([frameworkId])
+  @@index([frameworkId, version])
+  @@index([frameworkId, isLatest])
+}
+
+model SOADocument {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('soa_doc'::text)"))
+
+  // Framework and organization context
+  frameworkId    String
+  framework      FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+  organizationId String
+  organization   Organization             @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  // Configuration reference - references a specific SOAFrameworkConfiguration version
+  // Each document version can use a different configuration version
+  // Old documents keep their old config, new documents use new config
+  configurationId String
+  configuration   SOAFrameworkConfiguration @relation(fields: [configurationId], references: [id], onDelete: Cascade)
+
+  // Document versioning
+  version  Int     @default(1) // Version number for this document (increments yearly)
+  isLatest Boolean @default(true) // Whether this is the latest version
+
+  // Document status
+  status SOADocumentStatus @default(draft) // draft, in_progress, completed
+
+  // Document metadata
+  totalQuestions    Int @default(0) // Total number of questions in this document
+  answeredQuestions Int @default(0) // Number of questions with answers
+
+  // Approval tracking
+  preparedBy String  @default("Comp AI") // Always "Comp AI"
+  approverId String? // Member ID who will approve this document (set when submitted for approval)
+  approver   Member? @relation("SOADocumentApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
+  approvedAt DateTime? // When document was approved
+
+  // Dates
+  completedAt DateTime? // When document was completed
+  createdAt   DateTime  @default(now())
+  updatedAt   DateTime  @updatedAt
+
+  // Relationships
+  answers SOAAnswer[]
+
+  @@unique([frameworkId, organizationId, version]) // Prevent duplicate versions
+  @@index([frameworkId, organizationId])
+  @@index([frameworkId, organizationId, version])
+  @@index([frameworkId, organizationId, isLatest])
+  @@index([configurationId])
+  @@index([status])
+}
+
+model SOAAnswer {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('soa_ans'::text)"))
+
+  // Document context (replaces direct framework/organization link)
+  documentId String
+  document   SOADocument @relation(fields: [documentId], references: [id], onDelete: Cascade)
+
+  // Question reference - references question.id from SOADocument.configuration.questions
+  // References the specific configuration version that the document uses
+  // If config changes, old documents still reference their old config version
+  questionId String // Must match a question.id from SOADocument.configuration.questions
+
+  // Answer data - simple text answer
+  answer String? // Text answer (nullable if not generated yet)
+
+  // Answer metadata
+  status      SOAAnswerStatus @default(untouched) // untouched, generated, manual
+  sources     Json? // Sources used for generated answers (similar to questionnaire)
+  generatedAt DateTime? // When answer was generated
+
+  // Answer versioning (within the document)
+  answerVersion  Int     @default(1) // Version number for this specific answer
+  isLatestAnswer Boolean @default(true) // Whether this is the latest version of this answer
+
+  // User tracking
+  createdBy String? // User ID who created this answer
+  updatedBy String? // User ID who last updated this answer
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@unique([documentId, questionId, answerVersion]) // Prevent duplicate answer versions
+  @@index([documentId])
+  @@index([documentId, questionId])
+  @@index([documentId, questionId, isLatestAnswer])
+  @@index([status])
+}
+
+enum SOADocumentStatus {
+  draft // Document is being created/edited
+  in_progress // Document is being generated
+  needs_review // Document is submitted for approval
+  completed // Document is complete and approved
+}
+
+enum SOAAnswerStatus {
+  untouched // No answer yet (not generated)
+  generated // AI generated answer
+  manual // Manually written/edited by user
 }
 
 
 // ===== task.prisma =====
 model Task {
-    // Metadata
-    id          String         @id @default(dbgenerated("generate_prefixed_cuid('tsk'::text)"))
-    title       String
-    description String
-    status      TaskStatus     @default(todo)
-    frequency   TaskFrequency?
-    department  Departments?   @default(none)
-    order       Int            @default(0)
-
-    // Dates
-    createdAt       DateTime  @default(now())
-    updatedAt       DateTime  @updatedAt
-    lastCompletedAt DateTime?
-    reviewDate      DateTime?
-
-    // Relationships
-    assigneeId          String?
-    assignee            Member?                      @relation(fields: [assigneeId], references: [id])
-    organizationId      String
-    organization        Organization                 @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    taskTemplateId      String?
-    taskTemplate        FrameworkEditorTaskTemplate? @relation(fields: [taskTemplateId], references: [id])
-    controls            Control[]
-    vendors             Vendor[]
-    risks               Risk[]
-    evidenceAutomations EvidenceAutomation[]
-
-    EvidenceAutomationRun EvidenceAutomationRun[]
+  // Metadata
+  id          String         @id @default(dbgenerated("generate_prefixed_cuid('tsk'::text)"))
+  title       String
+  description String
+  status      TaskStatus     @default(todo)
+  frequency   TaskFrequency?
+  department  Departments?   @default(none)
+  order       Int            @default(0)
+
+  // Dates
+  createdAt       DateTime  @default(now())
+  updatedAt       DateTime  @updatedAt
+  lastCompletedAt DateTime?
+  reviewDate      DateTime?
+
+  // Relationships
+  assigneeId          String?
+  assignee            Member?                      @relation(fields: [assigneeId], references: [id])
+  organizationId      String
+  organization        Organization                 @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  taskTemplateId      String?
+  taskTemplate        FrameworkEditorTaskTemplate? @relation(fields: [taskTemplateId], references: [id])
+  controls            Control[]
+  vendors             Vendor[]
+  risks               Risk[]
+  evidenceAutomations EvidenceAutomation[]
+
+  EvidenceAutomationRun EvidenceAutomationRun[]
 }
 
 enum TaskStatus {
-    todo
-    in_progress
-    done
-    not_relevant
-    failed
+  todo
+  in_progress
+  done
+  not_relevant
+  failed
 }
 
 enum TaskFrequency {
-    daily
-    weekly
-    monthly
-    quarterly
-    yearly
+  daily
+  weekly
+  monthly
+  quarterly
+  yearly
 }
 
 
 // ===== trust.prisma =====
 model Trust {
-    organizationId     String
-    organization       Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    friendlyUrl        String?      @unique
-    domain             String?
-    domainVerified     Boolean      @default(false)
-    isVercelDomain     Boolean      @default(false)
-    vercelVerification String?
-    status             TrustStatus  @default(draft)
-    contactEmail       String?
-
-    email         String?
-    privacyPolicy String?
-    soc2          Boolean @default(false)
-    soc2type1     Boolean @default(false)
-    soc2type2     Boolean @default(false)
-    iso27001      Boolean @default(false)
-    iso42001      Boolean @default(false)
-    nen7510       Boolean @default(false)
-    gdpr          Boolean @default(false)
-    hipaa         Boolean @default(false)
-    pci_dss       Boolean @default(false)
-
-    soc2_status        FrameworkStatus @default(started)
-    soc2type1_status   FrameworkStatus @default(started)
-    soc2type2_status   FrameworkStatus @default(started)
-    iso27001_status    FrameworkStatus @default(started)
-    iso42001_status    FrameworkStatus @default(started)
-    nen7510_status     FrameworkStatus @default(started)
-    gdpr_status        FrameworkStatus @default(started)
-    hipaa_status       FrameworkStatus @default(started)
-    pci_dss_status     FrameworkStatus @default(started)
-
-    @@id([status, organizationId])
-    @@unique([organizationId])
-    @@index([organizationId])
-    @@index([friendlyUrl])
+  organizationId     String
+  organization       Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  friendlyUrl        String?      @unique
+  domain             String?
+  domainVerified     Boolean      @default(false)
+  isVercelDomain     Boolean      @default(false)
+  vercelVerification String?
+  status             TrustStatus  @default(draft)
+  contactEmail       String?
+
+  email         String?
+  privacyPolicy String?
+  soc2          Boolean @default(false)
+  soc2type1     Boolean @default(false)
+  soc2type2     Boolean @default(false)
+  iso27001      Boolean @default(false)
+  iso42001      Boolean @default(false)
+  nen7510       Boolean @default(false)
+  gdpr          Boolean @default(false)
+  hipaa         Boolean @default(false)
+  pci_dss       Boolean @default(false)
+  iso9001       Boolean @default(false)
+
+  soc2_status      FrameworkStatus @default(started)
+  soc2type1_status FrameworkStatus @default(started)
+  soc2type2_status FrameworkStatus @default(started)
+  iso27001_status  FrameworkStatus @default(started)
+  iso42001_status  FrameworkStatus @default(started)
+  nen7510_status   FrameworkStatus @default(started)
+  gdpr_status      FrameworkStatus @default(started)
+  hipaa_status     FrameworkStatus @default(started)
+  pci_dss_status   FrameworkStatus @default(started)
+  iso9001_status   FrameworkStatus @default(started)
+
+  @@id([status, organizationId])
+  @@unique([organizationId])
+  @@index([organizationId])
+  @@index([friendlyUrl])
 }
 
 enum TrustStatus {
-    draft
-    published
+  draft
+  published
 }
 
 enum FrameworkStatus {
-    started
-    in_progress
-    compliant
+  started
+  in_progress
+  compliant
+}
+
+enum TrustFramework {
+  iso_27001
+  iso_42001
+  gdpr
+  hipaa
+  soc2_type1
+  soc2_type2
+  pci_dss
+  nen_7510
+  iso_9001
+}
+
+model TrustResource {
+  id             String         @id @default(dbgenerated("generate_prefixed_cuid('tcr'::text)"))
+  organizationId String
+  organization   Organization   @relation("OrganizationTrustResources", fields: [organizationId], references: [id], onDelete: Cascade)
+  framework      TrustFramework
+  s3Key          String
+  fileName       String
+  fileSize       Int
+  createdAt      DateTime       @default(now())
+  updatedAt      DateTime       @updatedAt
+
+  @@unique([organizationId, framework])
+  @@index([organizationId])
+}
+
+model TrustAccessRequest {
+  id             String       @id @default(dbgenerated("generate_prefixed_cuid('tar'::text)"))
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  name                  String
+  email                 String
+  company               String?
+  jobTitle              String?
+  purpose               String?
+  requestedDurationDays Int?
+
+  status           TrustAccessRequestStatus @default(under_review)
+  reviewerMemberId String?
+  reviewer         Member?                  @relation("TrustAccessRequestReviewer", fields: [reviewerMemberId], references: [id], onDelete: SetNull)
+  reviewedAt       DateTime?
+  decisionReason   String?
+
+  ipAddress String?
+  userAgent String?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  grant         TrustAccessGrant?   @relation("RequestGrant")
+  ndaAgreements TrustNDAAgreement[] @relation("RequestNDA")
+
+  @@index([organizationId])
+  @@index([email])
+  @@index([status])
+  @@index([organizationId, status])
+}
+
+model TrustAccessGrant {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('tag'::text)"))
+
+  accessRequestId String             @unique
+  accessRequest   TrustAccessRequest @relation("RequestGrant", fields: [accessRequestId], references: [id], onDelete: Cascade)
+
+  subjectEmail String
+
+  status    TrustAccessGrantStatus @default(active)
+  expiresAt DateTime
+
+  accessToken          String?   @unique
+  accessTokenExpiresAt DateTime?
+
+  issuedByMemberId String?
+  issuedBy         Member? @relation("IssuedGrants", fields: [issuedByMemberId], references: [id], onDelete: SetNull)
+
+  revokedAt         DateTime?
+  revokedByMemberId String?
+  revokedBy         Member?   @relation("RevokedGrants", fields: [revokedByMemberId], references: [id], onDelete: SetNull)
+  revokeReason      String?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  ndaAgreement TrustNDAAgreement? @relation("GrantNDA")
+
+  @@index([accessRequestId])
+  @@index([subjectEmail])
+  @@index([status])
+  @@index([expiresAt])
+  @@index([status, expiresAt])
+  @@index([accessToken])
+}
+
+enum TrustAccessRequestStatus {
+  under_review
+  approved
+  denied
+  canceled
+}
+
+enum TrustAccessGrantStatus {
+  active
+  expired
+  revoked
+}
+
+model TrustNDAAgreement {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('tna'::text)"))
+
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  accessRequestId String
+  accessRequest   TrustAccessRequest @relation("RequestNDA", fields: [accessRequestId], references: [id], onDelete: Cascade)
+
+  grantId String?           @unique
+  grant   TrustAccessGrant? @relation("GrantNDA", fields: [grantId], references: [id], onDelete: SetNull)
+
+  signerName  String?
+  signerEmail String?
+
+  status TrustNDAStatus @default(pending)
+
+  signToken          String   @unique
+  signTokenExpiresAt DateTime
+
+  pdfTemplateKey String?
+  pdfSignedKey   String?
+
+  signedAt DateTime?
+
+  ipAddress String?
+  userAgent String?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@index([organizationId])
+  @@index([accessRequestId])
+  @@index([signToken])
+  @@index([status])
+}
+
+enum TrustNDAStatus {
+  pending
+  signed
+  void
+}
+
+model TrustDocument {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('tdoc'::text)"))
+
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  name        String
+  description String?
+  s3Key       String
+
+  isActive Boolean @default(true)
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@index([organizationId])
+  @@index([organizationId, isActive])
 }