Security & Compliance

Secure by
architecture.

Isolation isn't a setting you toggle — it's enforced in the database. Every query is scoped to your tenant, every secret is encrypted, and every action is on the record.

Request security review

Row-level isolation

Every tenant's data is fenced off by a PostgreSQL row-level security policy. The tenant context is set per request — no application bug can read across companies.

-- enforced on every table

CREATE POLICY tenant_isolation

USING (tenant_id =

current_setting('app.current_tenant'))

Defense in depth

Protection at every layer.

Authentication

bcrypt cost 12 hashing

JWT access + refresh rotation

TOTP 2-factor auth

SAML & OIDC SSO (Enterprise)

Encryption

AES-256-GCM for secrets

Encrypted connector configs

Encrypted backups

Magic-byte verified uploads

Access control

4 permission tiers

Module & field-level rules

Per-user data scopes

Capability re-checks on AI

audited actions

Everything is on the record.

Logins, permission changes, record edits, transitions, AI calls — 102 distinct actions are written to a tamper-evident audit log with configurable retention, so you always know who did what, and when.

GDPR, built in

Self-serve data export as JSON and right-to-be-forgotten deletion with anonymization — no support ticket required.

Data exportAccount deletionDPA

Data residency

Region-aware tenants — default EU (Frankfurt), with scaffolding for additional regions as you grow.

eu-central-1eu-west-2us-east-1

Bring your security team.

We'll walk through the architecture, controls and our DPA in detail.

Talk to us