Skip to main content
Security & trust

Built so one customer can never see another’s data.

Tenant isolation isn’t a setting here. It’s enforced in the database.

FIG.01SECURITY POSTURE
Tenant isolation

Every row is scoped to your organisation.

Enforced by PostgreSQL row-level security under a least-privilege role — not just by application code.

EU data residency

Storage and processing stay in the EU.

On standard plans, your data does not leave the region. Enterprise can specify a dedicated data region.

Not training data

Your data is not training data.

We don’t use your project data to train shared models by default.

Mandatory two-factor

Every sign-in requires an emailed code.

Two-factor is not optional and not a paid add-on. It applies to every account on every plan.

Originals preserved

Uploaded files are stored as immutable objects.

Access is via short-lived signed links. The bucket is never exposed.

Determinism as safety

No silent defaults. Unknown is a valid result.

Demo values are labelled demo. A result you can’t trace is a result VentScan won’t assert.

org: northwind-mep
projects · 12
members · 6
row-level-security: on
no shared
rows
×
org: caldera-design
projects · —
members · —
access: denied

A query in one organisation cannot return a row from another. The boundary is enforced by the database role, below the application.

Security and deployment that meets your obligations.

Private cloud or self-host, SSO, customer-managed keys, custom retention, and an SLA. A subprocessors and trust page is on the way.

Talk to us about Enterprise