Skip to main content
Skip to main content
Security & Compliance

Security by construction, not by policy PDF.

Three-scope RLS, hash-chained audit, and 4-eyes separation of duties for every destructive operation — enforced at the database, not the app layer. Signed. Chained. Reversible.

SOC 2 Type II
in progress
ISO 27001
aligned
GDPR
DPA + Art. 28
HIPAA
BAA on Enterprise
SAML · OIDC · SCIM
on every plan
Data residency
EU · US · IN
Control catalogue

The nine controls that carry the weight.

Each control is implemented in code, verified in CI, and audited in production. No control lives only in a policy document.

Three-scope RLS

Every table has explicit row-level security scoped to platform / tenant / workspace. CI blocks any PR that adds a table without policies.

Step-up + 4-eyes SoD

GDPR erasure and other destructive operations require two distinct administrators plus fresh MFA within 5 minutes.

Hash-chained audit

Every write extends a SHA-256 chain. Daily anchors ship to R2 Object Lock (WORM, 7 years). Tamper is mathematically detectable.

SSO on every plan

SAML 2.0, OIDC, SCIM 2.0 provisioning, tenant-scoped MFA enforcement — no upsell tax on identity.

Secrets & keys

Provider secrets stored in Lovable Cloud vault. Per-tenant API keys with prefix reveal + hashed storage; rotation is one click.

Data isolation

Logical isolation by tenant_id + workspace_id enforced by SECURITY DEFINER helpers. No shared caches across tenants.

IP allow-listing

Tenant admins can require CIDR-based allow-lists for platform + tenant scopes; every denial is audit-logged.

Regional residency

EU, US, and India regions supported. Data never leaves the region without an explicit export event captured in audit.

Change control

Every schema migration is code-reviewed, hash-chained, and reversible. Zero manual production database access.

Frameworks

What we're aligned to — and honest about the roadmap.

SOC 2 Type II

In progress (target 2026 Q4)

Trust Services Criteria: Security, Availability, Confidentiality. Type I report available on request under NDA.

ISO/IEC 27001:2022

Aligned — certification track

Statement of Applicability mapped to the 93 Annex A controls; gap analysis complete.

GDPR

Live

DPA under Art. 28 available for counter-sign. DSAR runbook with SoD-gated erasure. Sub-processors published.

HIPAA

BAA on Enterprise

Administrative, physical, and technical safeguards. BAA counter-signed for Enterprise-tier healthcare customers.

PCI DSS

Scope-avoided by design

Card data never touches our infrastructure — Stripe.js and Razorpay tokenized fields only.

CCPA / CPRA

Aligned

Consumer rights honored through the same DSAR + erasure workflow. Do-not-sell — we don't sell.

Architecture

Every write flows through row-level trust and the hash-chain.

Browser · DesktopSession + JWTEdge · TanStack StartBearer verify · ZodPostgres + RLSprivate.* helpersaudit_log (WORM)SHA-256 chainSSO · SCIM · MFAStep-up + IP allowlistVault PII (AES)Column-level cryptoR2 daily anchorverify_audit_chainGDPR erasure · 4-eyes SoD (SA1 ≠ SA2) · execute_erasure()Stage 1 → Manager → Tenant admin → SA1 → SA2 → executed

Every mutation crosses RLS at the DB, and every result appends one hash-linked row to the audit chain — verified daily against an R2 anchor.

Deep dive

Read the 24-page security & compliance whitepaper.

Written for security architects, DPOs, and audit teams. Covers threat model, cryptographic design, SoC key rotation, tenant isolation proofs, DSAR SLAs, and the sub-processor supply chain.

  • · Row-level security model with per-scope policy proofs
  • · Hash-chain construction, daily anchor, tamper detection
  • · Step-up + 4-eyes SoD state machine
  • · Key management, secret rotation, and BYO-KMS on Enterprise
  • · Sub-processor list, region routing, and export controls
Gated download

Security & Compliance whitepaper

24-page PDF-equivalent: RLS model, hash-chained audit design, 4-eyes SoD, SSO/SCIM, key management, sub-processors, retention, DSAR runbook.

We use your details to send the whitepaper and occasional security updates. Unsubscribe anytime. See our privacy notice.

Report a vulnerability

We operate a coordinated disclosure programme. Send a report to security@falconveritas.com with reproduction steps. Median first response is under 24 hours; we do not pursue researchers acting in good faith.