// security & compliance

Security
isn't a feature.
It's the architecture.

Database-level tenant isolation. Composable role-based access. Row- and column-level policies declared as metadata, not buried in application code. Self-hosted by default, anywhere you want.

security posture

●︎ green

tenant isolation db-level

data at rest encrypted

data in transit tls 1.3

audit trail 100%

self-host available

data residency your call

/ 01 · isolation

One database
per tenant.
No exceptions.

The strongest isolation model available. No shared tables. No query filters to forget. If one tenant's database is compromised, other tenants are completely unaffected.

[separate db]

Separate databases

Each tenant has its own PostgreSQL database. Not a schema, not a row filter — a real database.

[separate creds]

Separate credentials

Unique DB user per tenant. No shared connection. No master role with cross-tenant reach.

[schema iso]

Module schemas

Module schemas (crm, hr, fin, wms) live inside each tenant's own database. Always namespaced.

[auth split]

Auth/data split

User identities live in a separate auth service. Tenant data never touches the auth store.

other platforms · shared db, "tenant_id" filter

risky

postgres · single database

▸SELECT * FROM accounts WHERE tenant_id = ?

▸SELECT * FROM contacts WHERE tenant_id = ?

▸SELECT * FROM invoices WHERE tenant_id = ?

↑ one missed filter = data leak

dforge · one database per tenant

isolated

db · tenant_acme isolated

db · tenant_globex isolated

db · tenant_initech isolated

no shared rows · no shared roles · no cross-tenant queries possible

/ 02 · access control

Four layers.
All declarative.

Every access rule is metadata. Versioned, reviewable, auditable. No security logic scattered across controllers and stored procedures.

[rbac]

Role-based access

Composable, additive roles. Sales Rep + Finance Viewer = full CRM + read-only Finance. Roles never revoke each other.

role  SalesRep        can: read, update.own
role  FinanceViewer   can: read.fin
user  alice
      roles: [SalesRep, FinanceViewer]

[row-level]

Row-level security

Folders define filter criteria that restrict which records a user can access. Applied at the SQL layer, never the UI.

policy  WestRegionOnly  on Account
        for SalesRep
        where  region = 'west'

[col-level]

Column-level security

Per-role field visibility and editability. Sales sees the contract value but not the margin. Viewers see summary, not internal notes.

field  Contract.margin
       visible: Finance, Exec
       hidden:  Sales, Viewer

[folders]

Folder-scoped permissions

The same role can resolve to different effective permissions in different organizational folders. Department managers vs. exec scope.

scope  Folder.engineering
       grants: Manager  → write
               Manager  → read.exec

/ 03 · audit & compliance

Every change.
Every actor.
Every time.

100%

Change history

Every data mutation tracked: who, what, when, before, after. Financial modules carry full audit trails.

JWT

Token-based auth

Refresh tokens, short-lived access tokens, secure rotation. No passwords stored in tenant databases.

Yours

Data sovereignty

Self-host in your region, your jurisdiction, your network. Backups, encryption, and policies under your control.

audit log · tenant_acme live tail