Security

Hosted on Vercel's edge network with automatic DDoS protection, global CDN distribution, and enterprise-grade uptime SLAs. Every request is served from the nearest edge location for minimal latency and maximum resilience.

Powered by Neon PostgreSQL with AES-256 encryption at rest and TLS 1.3 encryption in transit. Automated backups with point-in-time recovery. Connection pooling with secure credential rotation.

Clerk provides SOC 2 Type II certified authentication with multi-factor authentication (MFA), secure session management, brute-force protection, and bot detection. Sessions are short-lived and automatically rotated.

Every database table includes a tenant_id column. Every query is scoped to the authenticated tenant. There is zero possibility of cross-tenant data leakage — isolation is enforced at the data layer, not the application layer.

Every create, update, and delete operation is logged in an append-only audit_logs table. Each entry records the user, timestamp, resource type, action, and full before/after values. Audit logs cannot be modified or deleted — ever.

Role-based access control (RBAC) with five system roles plus support for custom roles. Permissions are granular — scoped by resource type, action, and organizational scope. RBAC checks are enforced in domain services, not the UI.

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed through secure key management infrastructure. Sensitive fields like SSN and government IDs receive additional application-layer encryption.

Built-in compliance module with document retention policies, policy acknowledgment tracking, certification management, and expiration monitoring. Designed to support SOC 2, GDPR, and employment law requirements out of the box.