Security Overview

Every account is completely isolated at the database level using PostgreSQL Row Level Security (RLS).

• User A can never read, write, update, or delete User B’s data
• All queries are automatically filtered by account membership
• Isolation is enforced by the database engine, not application code alone
• Automated cross-tenant attack tests verify isolation on every release

• Secure password hashing with bcrypt
• HTTP-only, secure session cookies
• PKCE flow for authentication code exchange
• Automatic session refresh on every request
• Role-based permissions: owner, admin, and member
• Service role key never exposed to browser

• In transit: All connections use TLS 1.2+ encryption
• At rest: Database and storage encrypted at rest (managed by Supabase/AWS)
• Passwords: Hashed with bcrypt, never stored in plaintext

• All storage buckets (logos, PDFs) are private — no public URLs
• File access requires signed URLs with short expiry (5 min for PDFs, 1 hr for logos)
• Storage paths are account-scoped and enforced by RLS
• Generated reports are immutable snapshots — cannot be updated or deleted
• Report PDFs use insert-only storage policies

• All significant actions are logged (client creation, assessments, reports, etc.)
• Audit logs are append-only — cannot be updated or deleted
• Logs are account-scoped — each account sees only its own logs
• Sensitive data is stripped from log metadata

• Server-rendered Next.js — no raw database credentials in the browser
• All inputs validated server-side (types, ranges, enums, lengths)
• Account ID derived server-side, never accepted from client
• Parent-child integrity verified before cross-table operations
• File uploads validated for MIME type and size on client and server