Skip to content

Security posture

Enforced in the schema, not the interface

Trust is the product, so the controls live where they can't be bypassed — in the database and on the server, not in a screen a request can route around. This is what that means in practice.

Tenant isolation

Separation is enforced at the database, so it holds no matter which endpoint the request comes through.

RLS on every table
Row-level security is enabled on every business table with a tenant policy in the same migration. A table shipped without a policy fails a CI guard.
Scoped by membership
Reads and writes are constrained to the accounts a user belongs to. A user of one account cannot read or write another's data through any path.
Helpers off the API
The functions that resolve a caller's accounts live in a private schema, so they are never exposed as callable endpoints.

Evidence and integrity

Every material action leaves a record that can be read but not rewritten.

Append-only audit log
Creates, updates, deletes, and every portal open and download are written with the acting party and a timestamp. There is no update or delete path on the log.
Sealed packages
Sealing pins exact document versions and fixes a content hash. A sealed package is immutable; a change is a new version, never a silent edit.
Per-recipient watermarks
Distributed files are stamped with the serial and a timestamp, so a leaked copy traces back to the recipient who received it.

Distribution

External delivery grants the least access that works, and defaults to no access.

Tokenized, expiring links
Recipients open a high-entropy link with no account. Links carry an expiry, can be revoked, and reveal nothing once expired, revoked, or unknown — they fail closed.
One-time codes
An optional code gate is enforced at the data layer, with a lockout after repeated wrong attempts and rate limiting on opens and downloads.
Short-lived file access
Downloads mint a signed URL that lives for seconds. There is no permanent object URL, and the portal is never indexed.

Platform

The boundaries the app runs behind.

Server-mediated sessions
Sessions are httpOnly, Secure, SameSite cookies. Authenticated data access runs under row-level security; mutations enforce same-origin.
Secret split
Only client-safe values reach the browser bundle. The service-role key is referenced from server-only code and is never shipped to a client.
Hardened headers
A strict content-security policy, HSTS, and framing and sniffing protections are set on every response. Fonts are self-hosted — no third-party network calls.

Ready to put a document on the record?