Tenant isolation, enforced at the database
Every business runs in its own isolated space. Isolation is not left to application code alone — it is enforced by PostgreSQL Row-Level Security.
- A two-pool architecture: the application connects on a non-superuser role that cannot bypass row-level security (NOBYPASSRLS), with FORCE ROW LEVEL SECURITY on every tenant-scoped table.
- Each request is pinned to exactly one organisation via a per-request database setting; policies fail closed, so a query with no tenant context returns nothing.
- Our cross-tenant test sweep passed 51/51: 12 attempts to read another tenant’s data returned “not found”, and 13 attempts to write across tenants were denied.
Role-based access control on every action
Reading and changing data is gated by role. This is verified structurally, not by convention.
- Every state-changing endpoint carries an explicit role/permission gate, a guard, or is deliberately public — never accidentally open.
- A continuous-integration invariant walks the live route tree and fails the build if any mutating route is missing its access-control gate.
- Super-admin (platform operator) actions require a separate, short-lived elevated session protected by two-factor authentication.
Secrets encrypted at rest
Credentials you connect — email, bank feeds, payment and accounting integrations — are encrypted before they touch the database.
- Integration and platform secrets are stored as AES-256-GCM encrypted envelopes, decrypted only in memory at the moment they are used.
- Secret values are masked on read in the admin console and are never written to logs.
Sessions & transport
Authentication is designed to keep tokens out of reach of scripts and eavesdroppers.
- Sessions use httpOnly, Secure, SameSite cookies in production, so tokens are not exposed to page JavaScript.
- All traffic is served over TLS. The platform is hosted in AWS Sydney (ap-southeast-2).
Backups & recovery
Your data is backed up and the restore path is tested — not assumed.
- Nightly logical database backups are age-encrypted and shipped to object storage in the Sydney region.
- The restore procedure is documented and has been exercised in a restore drill.
Financial integrity
The ledger is the source of truth, and it is kept honest by construction.
- Every money movement posts a balanced double-entry journal; the trial balance nets to zero.
- The audit trail is append-only — history is recorded, not overwritten.
An honest note on certifications
We do not currently hold third-party attestations such as SOC 2 or ISO 27001, and we will not claim ones we don’t have. What we can show you is the concrete engineering above — much of it independently exercised in our own go-live certification. If your organisation needs specific compliance evidence, get in touch and we’ll walk you through what exists today and what’s on the roadmap.