Security & Trust Center
Enterprise-grade security built into every layer of the platform — not bolted on as an afterthought.
Certifications & Standards
Independently audited security controls covering data handling, access management, availability, and confidentiality. Annual audit cycle.
Full compliance with the EU General Data Protection Regulation. Built-in data export, consent management, right to erasure, and data processing agreements.
Information Security Management System certification. Systematic approach to managing sensitive company information securely.
Sensitive fields (PII, tokens, API secrets) encrypted with AES-256 at the column level on top of disk-level encryption — protected even if a backup file is exposed.
Enterprise plans include formal uptime guarantees with defined service credits. Scheduled maintenance communicated 48 hours in advance.
Append-only audit log capturing every create, update, and delete operation with user ID, IP address, timestamp, and before/after data snapshots.
Security Architecture
Every database query is automatically scoped to the current tenant via Entity Framework global query filters. Automatic TenantId stamping on every record. One tenant can never access another's data — enforced at the data layer, not just the application layer.
TLS 1.2+ for all data in transit. Database encryption at rest. API keys are SHA-256 hashed before storage. Session cookies encrypted via ASP.NET Core Data Protection with shared key ring across applications.
Four layers of access control: Role-Based Access Control (RBAC) with custom roles, additive Permission Sets, field-level security (Hidden/ReadOnly/Editable per role), and record-level sharing rules (Private/Team/Public).
How We Handle Your Data
SSO via Google, Microsoft, and Apple. Cross-app authentication with shared secure cookie. Token-based API access with scoped permissions and expiry dates. Invitation-based onboarding with SHA-256 hashed tokens.
Three-layer rate limiting: daily quota per tenant (resets at midnight in tenant timezone), sliding-window burst protection, and concurrent request limits. Prevents abuse without impacting legitimate usage.
Soft-delete with recycle bin recovery for accidental deletions. Permanent tenant data purge with FK-safe SQL ordering and full audit trail. 30-day retention window after cancellation.
AI prompts include only the context you authorize. Token usage tracked per tenant. Conversation history stored in your tenant only. We do not use your data to train AI models. Provider-level DPAs in place.
Questions about security?
Our team is happy to discuss security requirements, provide compliance documentation, or arrange a security review.