Multi-tenant security we prove on every release.
Not a policy document — an automated test suite. Tenant isolation is verified in CI on every single change to the database layer.
The tenant-isolation contract
Every table is guarded by Postgres Row Level Security. The isolation suite asserts four things, on every change:
- Own-org reads work — your users see your data
- Cross-org reads are blind — queries against another tenant return nothing
- Cross-org writes are rejected — not filtered, rejected
- Super-admin access is an explicit, audited path — never an accident
Role & scope access control
Granular permission scopes — e.g. forecast.lock, schedule.generate, realtime.view, request.approve — attached to roles. Planners, RTAs, team leads and agents each get exactly the access they need, down to individual operations.
Full audit trail
Every lock, regeneration, approval and manual override is audited: who, when, why. Sensitive actions leave a record by design.
Immutability of locked artifacts
Locked forecasts and schedules reject changes. The plan of record can't be quietly rewritten after the fact — which is also an audit property, not just a workflow one.
Architecture
Backend: Supabase — Postgres, Auth and APIs. All access goes through RLS-guarded, permission-scoped RPCs; there is no side door around the policy layer.
Frontend: React 18 + TypeScript, responsive throughout, with the agent view mobile-tested.
Data residency: hosted in ap-southeast-1 (Singapore). If residency in this region matters to your compliance posture, it's already where your data lives.
We describe our posture as security-first architecture. We publish exactly what is tested and how — and we don't claim certifications we haven't obtained.
Architecture one-pager for your security review
A concise PDF covering the isolation model, access control, audit surface and hosting — written for InfoSec reviewers, not marketers.
Check your inbox
The architecture one-pager is on its way.