Security architecture

Built so a query can't walk out the wrong door.

Multi-tenant isolation isn't a runtime check — it's a row-level filter on every query, enforced by a kernel guard that refuses any batch straddling tenants. Below: the live shape of how Customer Data stays in its lane.

See the compliance matrix Email [email protected]

API · oRPC kernel

org=B → A✕

tenant guardorganizationId = ?

Every query is scoped before data access.

Tenant A

org=A

Acme Manufacturing

82 rows · 14 docs

Tenant B

org=B

Bright Web Studio

47 rows · 9 docs

Tenant C

org=C

Cedar Trading Co.

126 rows · 22 docs

12,312queries today0 cross-tenant

Audit log

Financial logs can't be silently rewritten.

Every create, submit, cancel, or edit on a financial document writes a hash-chained, append-only row. Tampering shows.

Append-only at the schema: AuditLog has no UPDATE or DELETE permissions in the production role — even an admin can't quietly rewrite a row.
Hash-chained entries: Each row's hash includes the prior row's hash, so the slightest tamper invalidates everything that came after it.
Exportable in one click: Auditors get the full ledger as CSV / JSON, scoped to whatever date range and doctype they ask for.

AuditLog · voucher mutations · today

LIVE

#8d3f2c1e
[email protected] submitted SI-2026-00184
14:32:01 UTC· ip 10.0.4.72
#5b91a407
[email protected] approved PI-2026-00072
14:31:47 UTC· ip 10.0.4.18
#f0c2b8e9
[email protected] created JE-2026-00041
14:31:22 UTC· ip 10.0.4.72
#7a14d6c2
[email protected] submitted PE-2026-00099
14:30:58 UTC· ip 10.0.4.41
#3e90b1a8
[email protected] cancelled SI-2026-00177
14:30:11 UTC· ip 10.0.4.18

schema constraint: AuditLog has no UPDATE / DELETE permission in the prod role

Compliance matrix

Exactly what's in place — and what isn't yet.

We'd rather be specific than reassuring. This matrix shows every control in plain language; if you don't see a checkmark, we haven't earned the right to claim it yet.

Control

Status

Detail

Tenant data isolation

In place

Row-level organizationId filter on every query; kernel guards refuse batches that straddle tenants.

Encryption in transit

In place

TLS 1.2+ on every customer endpoint. HTTPS-only cookies for authentication.

Encryption at rest

In place

Primary database volumes encrypted (provider-managed keys). Object-storage uploads encrypted server-side.

Immutable audit log

In place

Every create / submit / cancel / delete on financial documents is recorded with actor + before / after diff; admins cannot modify log rows.

Role-based access control

In place

Org-level roles (owner / admin / member) plus ERP roles for module-level permissions; invites scoped per organization.

Close-period posting guard

In place

FiscalPeriodSignoff freezes GL posting on or before periodEnd; schema-enforced, cannot be bypassed from the UI.

Database backups

In place

Daily automated backups with 30-day retention. Restore procedure documented and rehearsed.

Breach notification process

In place

72-hour notification to controllers per DPA. Incident runbook exists and is owned by the engineering lead.

SOC 2 Type II

In progress

Observation period underway with a third-party auditor. Attestation letter will be available on request when issued.

ISO 27001

Not yet

Not on the roadmap for this fiscal year. Evaluating in parallel with SOC 2 completion.

HIPAA

Not yet

Service is not designed for protected health information. We will not sign BAAs.

Third-party penetration test

In progress

First external engagement in scoping. Summary report will be shareable under NDA.

We won't publish a status we can't back up on request. Ask us for the relevant evidence.

Legal documents

The paperwork your counsel will want.

All six operative documents are published and versioned. When you sign up we record the exact version you accepted, with a SHA-256 hash of the text — so 'what I agreed to' is always provable.

The master agreement: services, fees, AS-IS, liability cap, arbitration, data ownership.

What personal data we collect, why, how long we keep it, and your rights under PIPEDA / GDPR / CCPA.

Data Processing Addendum

GDPR Article 28 processor obligations, SCCs for cross-border transfers, breach notification timeline.

Subprocessor List

Every third-party that touches Customer Data — Hetzner, Resend, Anthropic, OpenAI, Stripe — with processing region.

Acceptable Use Policy

What you can and can't use the Service for. Binding on all accounts.

Cookie Policy

Strictly-necessary cookies only today. If that ever changes we'll ask for consent before setting anything new.

Security contact. Vendor risk questionnaires, SOC 2 evidence requests, and responsible-disclosure reports all go to [email protected]. We respond within two business days.