Our security controls
How we protect your data across the Security, Availability, and Confidentiality criteria. Status is shown honestly — we don’t list a control as in place until we can evidence it for an audit.
Access control
Tenant isolation
Every record is scoped to an account and isolated with Postgres row-level security, so one customer can never read another customer’s metadata.
Role-based least privilege
Roles and granular permissions gate every action, with a read-only viewer role as the fail-safe default. Writes require an explicit permission.
Multi-factor authentication
MFA is available to every user and required for administrative access. Sign-in and consent surfaces are protected against clickjacking.
SSO & automated provisioning
Enterprise SSO (SAML/OIDC) and SCIM directory sync are available. Deprovisioning always revokes access, even when other toggles are off.
Encryption
Encryption at rest
Third-party OAuth tokens are encrypted with AES-256-GCM and stored in an isolated database schema that is not exposed by our public API.
Credential hashing
API keys are stored only as a salted hash and shown in full exactly once, at creation.
Encryption in transit
All traffic is served over TLS, with HTTP Strict Transport Security enforced in production.
Data handling
Metadata-only access
We read Salesforce metadata through a strict allowlist that structurally cannot query the contents of your records.
Data classification & retention
Customer metadata is retained only while an org is connected and deleted or de-identified on disconnect, in line with our Data Retention policy.
Network security
Edge protection & rate limiting
A managed web application firewall and per-IP rate limits guard public endpoints, backed by a baseline set of security response headers.
Webhook authenticity
Every inbound webhook (billing, identity, database, integrations) is verified by cryptographic signature before it is processed.
Logging & monitoring
Audit logging
Security-relevant events and schema changes are recorded in append-only logs for accountability and evidence.
Error monitoring & alerting
Application errors are captured and alerted on so issues are detected and triaged quickly.
Change management
Reviewed, tested change control
Code and database changes flow through version control with automated type, lint, and schema-drift checks before release.
Vulnerability management
Dependencies are kept current automatically, and code is scanned for secrets and known vulnerabilities in the pipeline.
Vendor management
Subprocessor due diligence
Each subprocessor is reviewed for security posture, and its compliance report and data-processing agreement are kept on file.
Availability
Automated backups
The production database is backed up automatically with point-in-time recovery.
Disaster recovery testing
A documented recovery runbook is periodically tested by restoring from backup and measuring recovery objectives.
Health & status monitoring
System health is continuously monitored, with a public status page for real-time and historical availability.
Governance
Incident response
A documented incident-response process defines detection, escalation, customer notification, and post-incident review.
Risk assessment
Security risks are identified, rated, and tracked to treatment in a maintained risk register, reviewed at least annually.