Tenant isolation is enforced in the database, not just the app. Every view and download is logged. Files never get a public URL. Security was the first requirement of the platform, not a feature bolted on later.
Every customer table carries an organization id, and Postgres row-level security policies decide what each request can read or write. Isolation lives in the database, so it holds even if application code has a bug. Platform admin access is a separate, controlled path that customers can never grant themselves, and we test cross-organization isolation directly.
SAML 2.0 and OIDC single sign-on per organization, with an optional require-SSO setting. SCIM 2.0 provisions and deprovisions users through your identity provider, so offboarding is one action. TOTP multi-factor with backup codes is available to everyone and required for platform admins. Roles are managed per organization with a full member directory.
Sensitive actions, including who opened or downloaded a contract file, are appended to an audit log with the actor, action, entity, organization, IP address, and user agent. Owners see their own trail in the app, and you can stream events to your SIEM. Known sign-in devices are tracked so unusual access stands out.
Uploaded files go into private buckets with no public URLs, ever. Downloads use short-lived signed URLs that expire in about a minute. Uploads are validated on type, size, and file signature, not just the extension. Share links are stored only as hashes, never as reusable tokens.
TLS protects data in transit, and storage and database are encrypted at rest. Credentials for your connected tools are sealed with AES-256-GCM using a fresh initialization vector per value, shown masked, and checked for tampering. No secret is ever stored in our code.
Set a retention policy, export everything, or hard delete. A deletion removes both the database rows and the stored files, so nothing lingers. You never have to file a ticket with us to honor a deletion request from your side.
The security review package collects everything public in reading order: the security overview with its claim ladder, the 60-question security team FAQ, the data processing agreement, the subprocessor list, and our resilience evidence with dates. The policy set and a pre-completed security questionnaire sit behind a click-through NDA in scoped, expiring, revocable links, and every view lands on the audit trail. We state what is not built yet as plainly as what is, so a framework is only ever claimed with the evidence to show for it.
Enterprise controls are on from day one. See the full platform.