Security posture
Enforced in the schema, not the interface
Trust is the product, so the controls live where they can't be bypassed — in the database and on the server, not in a screen a request can route around. This is what that means in practice.
Tenant isolation
Separation is enforced at the database, so it holds no matter which endpoint the request comes through.
- RLS on every table
- Row-level security is enabled on every business table with a tenant policy in the same migration. A table shipped without a policy fails a CI guard.
- Scoped by membership
- Reads and writes are constrained to the accounts a user belongs to. A user of one account cannot read or write another's data through any path.
- Helpers off the API
- The functions that resolve a caller's accounts live in a private schema, so they are never exposed as callable endpoints.
Evidence and integrity
Every material action leaves a record that can be read but not rewritten.
- Append-only audit log
- Creates, updates, deletes, and every portal open and download are written with the acting party and a timestamp. There is no update or delete path on the log.
- Sealed packages
- Sealing pins exact document versions and fixes a content hash. A sealed package is immutable; a change is a new version, never a silent edit.
- Per-recipient watermarks
- Distributed files are stamped with the serial and a timestamp, so a leaked copy traces back to the recipient who received it.
Distribution
External delivery grants the least access that works, and defaults to no access.
- Tokenized, expiring links
- Recipients open a high-entropy link with no account. Links carry an expiry, can be revoked, and reveal nothing once expired, revoked, or unknown — they fail closed.
- One-time codes
- An optional code gate is enforced at the data layer, with a lockout after repeated wrong attempts and rate limiting on opens and downloads.
- Short-lived file access
- Downloads mint a signed URL that lives for seconds. There is no permanent object URL, and the portal is never indexed.
Platform
The boundaries the app runs behind.
- Server-mediated sessions
- Sessions are httpOnly, Secure, SameSite cookies. Authenticated data access runs under row-level security; mutations enforce same-origin.
- Secret split
- Only client-safe values reach the browser bundle. The service-role key is referenced from server-only code and is never shipped to a client.
- Hardened headers
- A strict content-security policy, HSTS, and framing and sniffing protections are set on every response. Fonts are self-hosted — no third-party network calls.