Security by construction, not by policy PDF.
Three-scope RLS, hash-chained audit, and 4-eyes separation of duties for every destructive operation — enforced at the database, not the app layer. Signed. Chained. Reversible.
The nine controls that carry the weight.
Each control is implemented in code, verified in CI, and audited in production. No control lives only in a policy document.
Three-scope RLS
Every table has explicit row-level security scoped to platform / tenant / workspace. CI blocks any PR that adds a table without policies.
Step-up + 4-eyes SoD
GDPR erasure and other destructive operations require two distinct administrators plus fresh MFA within 5 minutes.
Hash-chained audit
Every write extends a SHA-256 chain. Daily anchors ship to R2 Object Lock (WORM, 7 years). Tamper is mathematically detectable.
SSO on every plan
SAML 2.0, OIDC, SCIM 2.0 provisioning, tenant-scoped MFA enforcement — no upsell tax on identity.
Secrets & keys
Provider secrets stored in Lovable Cloud vault. Per-tenant API keys with prefix reveal + hashed storage; rotation is one click.
Data isolation
Logical isolation by tenant_id + workspace_id enforced by SECURITY DEFINER helpers. No shared caches across tenants.
IP allow-listing
Tenant admins can require CIDR-based allow-lists for platform + tenant scopes; every denial is audit-logged.
Regional residency
EU, US, and India regions supported. Data never leaves the region without an explicit export event captured in audit.
Change control
Every schema migration is code-reviewed, hash-chained, and reversible. Zero manual production database access.
What we're aligned to — and honest about the roadmap.
SOC 2 Type II
In progress (target 2026 Q4)Trust Services Criteria: Security, Availability, Confidentiality. Type I report available on request under NDA.
ISO/IEC 27001:2022
Aligned — certification trackStatement of Applicability mapped to the 93 Annex A controls; gap analysis complete.
GDPR
LiveDPA under Art. 28 available for counter-sign. DSAR runbook with SoD-gated erasure. Sub-processors published.
HIPAA
BAA on EnterpriseAdministrative, physical, and technical safeguards. BAA counter-signed for Enterprise-tier healthcare customers.
PCI DSS
Scope-avoided by designCard data never touches our infrastructure — Stripe.js and Razorpay tokenized fields only.
CCPA / CPRA
AlignedConsumer rights honored through the same DSAR + erasure workflow. Do-not-sell — we don't sell.
Every write flows through row-level trust and the hash-chain.
Every mutation crosses RLS at the DB, and every result appends one hash-linked row to the audit chain — verified daily against an R2 anchor.
Read the 24-page security & compliance whitepaper.
Written for security architects, DPOs, and audit teams. Covers threat model, cryptographic design, SoC key rotation, tenant isolation proofs, DSAR SLAs, and the sub-processor supply chain.
- · Row-level security model with per-scope policy proofs
- · Hash-chain construction, daily anchor, tamper detection
- · Step-up + 4-eyes SoD state machine
- · Key management, secret rotation, and BYO-KMS on Enterprise
- · Sub-processor list, region routing, and export controls
Report a vulnerability
We operate a coordinated disclosure programme. Send a report to security@falconveritas.com with reproduction steps. Median first response is under 24 hours; we do not pursue researchers acting in good faith.
