Per-action RBAC, re-checked every request
Every server action and API handler opens with a fresh authorization check against the database — never a cached token claim. The UI hides what a role can't do; the server always re-checks.
Security architecture
We sell assurance. A platform that holds your risks, policies and audit evidence has to withstand the same scrutiny it helps you apply — so authorization is re-checked on every request, the audit trail is protected by the database itself, and stored credentials are encrypted at rest and never returned by any API.
Defense in depth
The controls your own ISO 27001 or SOC 2 program expects of any vendor — built into the architecture, not bolted on afterwards.
Every server action and API handler opens with a fresh authorization check against the database — never a cached token claim. The UI hides what a role can't do; the server always re-checks.
The audit log is append-only and protected at the database level: a database trigger blocks updates and deletes, and the application connects as a restricted database role that holds no such grants in the first place.
Connector, SMTP and SSO credentials are encrypted at rest with AES-256-GCM under an instance master key — and no API ever returns them.
TOTP-based 2FA, SSO via OIDC with claim mapping and just-in-time provisioning, configurable password policy and account lockout, plus session listing and revocation for administrators.
TLS everywhere — through the bundled proxy option or your own — with HSTS and secure cookies, a strict CSP, and rate limiting on login and API endpoints.
Every row is scoped to its workspace and that scoping is enforced at the action layer — and each module ships an isolation test proving two workspaces can never see each other.
On-prem posture
The same code runs in the cloud and on your own servers — but on-prem, it runs entirely on its own.
The model
A user gets the union of their assigned roles and nothing more — and the application itself connects to the database as a restricted role with no destructive grants.
Authorization is re-checked against the database on every single request, and sensitive transitions — like risk acceptance — go through a recorded approval chain.
Every mutation, login and security event — an SSO configuration change, a role change, a license upload — lands in the append-only audit trail with an actor snapshot and a diff.
When your auditor asks who changed what and when, the answer is filterable, paginated, and impossible to have quietly edited after the fact.
Wherever you decide. In the cloud, your workspace lives in our managed environment, with every row scoped to your workspace and isolation tests shipped per module. On-prem, everything lives on your own infrastructure — Docker on Linux or natively on Windows Server — and the code path is identical in every deployment.
No — nothing leaves your network. An on-prem instance requires no outbound calls: the license is verified offline, telemetry is off by default, and error reporting only happens if you explicitly opt in.
Three layers: the log is append-only, a database-level trigger blocks updates and deletes, and the application connects as a restricted database role that has no update or delete grants on the audit log at all — so even a platform administrator working through the app cannot rewrite history.
Any OIDC-compatible provider — Microsoft Entra ID, Okta, Google and others. You configure the issuer and client credentials, map claims to user attributes, provision users just-in-time with a default role, and can disable local login entirely.
Get started
Book a 30-minute walkthrough. We'll map your program to the modules you need — cloud, on-prem Linux or Windows Server.
Every module works standalone. License only what you need — grow when you're ready.