Skip to Content
Security

Security

7 Layers of Data Isolation

  1. HTTP Header Extraction — CompanyMiddleware reads X-Company-Id
  2. Access Guard — CompanyGuard validates user-company access
  3. Application Scope — CompanyScope adds company_id to queries
  4. Event Context — DomainEvent carries companyId
  5. Database CHECKCHECK (company_id IS NOT NULL) on 27 tables
  6. Foreign KeysON DELETE RESTRICT on 23 tables
  7. Row-Level Security — PostgreSQL RLS policies on 8 tables

Runtime Database Security

The application uses a restricted role (app_user) with DML only — no DDL, no BYPASSRLS.

Audit Trail

Every action is logged with tenant ID, company ID, user ID, entity type, action, and timestamp.

Last updated on
Platform Overview