Security that assumes every tenant matters

Every tenant request runs inside a Postgres transaction with ROW LEVEL SECURITY FORCED + WITH CHECK on every table. Two synthetic-org integration tests run on every merge to prove cross-tenant reads and writes are both denied.

Raw API keys appear exactly once in the UI — immediately after creation — and require an explicit acknowledge before the modal dismisses. The server stores an argon2id hash plus a public `atc_<env>_<id>` prefix and a 16-character fingerprint for constant-time lookup; neither can reconstruct the original.

Every mutation writes an audit_events row inside the same transaction as the domain change. Each row carries the SHA-256 of the previous row, so an operator can verify the chain hasn't been tampered with or rewound. Startup refuses to proceed if any tenant's chain head is uninitialised.

Image retention and event retention are per-site settings with sensible defaults. The audit schema is designed so erasure can tombstone rows without rewriting prior hashes — the tombstone executor is on the Phase D roadmap. On-prem deployments keep all of this inside your network today.

The hosted endpoint is fronted by TLS via the reverse proxy (hosted plane terminates TLS; on-prem deployments bring their own certificates). API keys carry optional IP allowlists and per-origin CORS lists. MQTT for edge appliances goes through a Mosquitto broker with auth; deployment of mutual-cert auth is negotiated per-tenant during onboarding.

SOC 2 Type II audit is in progress; we'll publish the report under NDA on request. ISO 27001 and the HIPAA security-rule mapping are on the FY27 roadmap. Until then, the security team is happy to walk through our controls in detail.