Row-level security model

Every row in our database carries a tenant identifier. Every query is wrapped in a Postgres row-level security policy that requires the row's tenant to match the authenticated user's tenant — enforced by the database, not the application.

Why this matters

Even if our application code had a bug that asked for the wrong tenant's data, the database would still refuse to return it. This is defense-in-depth — bugs in one layer don't leak data because the layer below also enforces isolation.

How to verify

Open Settings → Security and download the latest RLS policy report. It lists every table, the policy attached, and the last time we tested it against fuzzed cross-tenant queries.