Compliance is in the schema.
Security isn't a feature we sell. It's the constraint we build everything else on top of — every table, every endpoint, every connector.
Row-level security on every table
Default-deny RLS policies keyed by tenant_id, enforced at the database. Server-side RBAC layered on top so the UI can never expose what the database refuses.
AES-GCM credential vault
Customer secrets (OAuth tokens, API keys) encrypted at rest with envelope-encrypted master keys. Rotated on schedule. Never logged.
Append-only audit log
Every super-admin action is signed and recorded. No UPDATE policy on the table — the log is provably complete. Owner-visible, exportable as JSONL.
Sensible defaults, hardened edges
CSRF on every state change. Rate limits per IP, per tenant, per API key. Signed OAuth state with 10-min TTL. Webhooks signed with HMAC.
SSO + MFA
Passkeys preferred. SAML + SCIM on Enterprise. MFA mandatory for owner accounts on Pro and above.
EU data residency
Hosted in Helsinki. Enterprise tenants can pin all data to EU-only infrastructure. Per-tenant data-flow report for every connector.
Papers, in order.
Per-tenant template generated at signup. Lawful basis recorded per data type.
Public list, maintained as we add infra. 30-day notice on changes.
Annual third-party penetration test. Summary report on request.
Audit underway — target attestation Q4 2026.
Roadmap item for 2027. Controls mapped today.
Daily encrypted snapshots. 30-day retention on Pro, 1 year on Enterprise.
Who else touches your data.
Updated as we add infrastructure. 30-day notice on changes.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) |
| Anthropic | Claude inference | US + EU |
| OpenAI | GPT inference (optional) | US |
| Google AI | Gemini inference (optional) | EU + US |
| fal.ai / Replicate | Image generation | US |
| Stripe | Billing | EU + US |
| Resend | Transactional email | EU |
| Sentry | Error tracking | EU |
| Cloudflare | DNS + CDN | Global |