← All docsOperations
Security & RLS
Tenant isolation, audit logs, IAM.
Multi-tenant isolation is enforced at the database layer with row-level security (RLS) policies tied to workspace_members. Every workspace-scoped table has a SELECT policy that gates by public.is_workspace_member(workspace_id) and write policies that require the appropriate role (owner, admin, editor).
What this means for you
- A leaked anon key cannot read another workspace's data — RLS is enforced on every read.
- BYOK secrets are stored encrypted at rest with pgcrypto's
pgp_sym_encrypt; only the service role can decrypt them at AI call time. - All security-sensitive actions (member adds, role changes, API key rotations, compliance overrides) are written to
audit_logswith actor + IP.
Reporting
Suspected security issues: apache3corp@gmail.com. We acknowledge within 24h; severe issues get a 72h fix or mitigation plan.