Row-level security with WITH CHECK
Policies block reads and tenant-id-leaking writes. A CI gate runs on every PR: open a connection without SET LOCAL app.tenant_id and assert zero rows leak from any tenant table.
Security
The facts an InfoSec reviewer needs.
Architectural detail you can paste into a vendor questionnaire - not platitudes. Each claim ties to a verifiable control in the codebase.
AES-256 at rest · TLS 1.2+ in transit
Every S3 write enforces ServerSideEncryption=AES256 at the call site (not just bucket policy). TLS 1.2+ for every API call. Standard tier shares an AWS-managed KMS key; Pro tier gets a dedicated schema; Enterprise gets a customer-managed CMK (SSE-KMS); Sovereign gets a region-pinned Aurora cluster.
DB-trigger immutability + S3 Object Lock
A Postgres trigger raises on UPDATE / DELETE against audit_logs. Long-term archives go to S3 with Object Lock retention. Even a compromised admin can't rewrite history.
RTO 1h · RPO 5min · quarterly drill
Multi-AZ Aurora, two read replicas, cross-region nightly snapshot. Drill outcomes recorded in the same audit log.
Magic-link + JWT + TOTP MFA
Single-use random tokens (sha256-hashed in DB), 24h TTL. JWT issued only after password set. TOTP MFA enforced on the Owner role on Enterprise.
SOC 2 Type I in progress · pen-test quarterly
Annual ISO 27001 posture review. GDPR / HIPAA region pinning available. BAA on Enterprise.
Try it on your own document.
Spin up a tenant, upload a CoA, watch the engine cite the failing clause.