Security at every layer.
We are a young product, and we are honest about it. Below is the actual list of controls that ship today — built on Postgres RLS, envelope encryption, and a strict audit trail.
Encryption
Envelope encryption: a single KMS-resident master key wraps per-tenant data-encryption keys (DEKs). Every transcript and PII column is encrypted at rest with the tenant DEK. TLS 1.2+ on every connection.
Per docs/03-DATABASE.md
RLS multi-tenancy
Postgres row-level security enforces tenant isolation at six layers: connection role, RLS policy, Prisma extension guard, route-handler guard, server-action guard, and audit log. Every tenant query runs inside runWithOrgContext().
Per docs/10-TENANCY.md
Authentication
Magic-link sign-in (no passwords). JWT with 24h TTL, signed via JWT_SECRET. hCaptcha gate on /auth/email and /auth/dev/login to throttle automation. Sessions are revocable from your profile.
Audit log
Append-only audit table — admin and manager actions, score overrides, role changes, exports, and deletions. Retained for 7 years to align with employment-record baselines. Exportable on demand.
Rate limits + Helmet CSP
Redis token bucket on every authenticated route (per-user and per-IP). Helmet sets a strict Content-Security-Policy, HSTS, X-Frame-Options, and Referrer-Policy on every response.
Reporting a vulnerability
Found something? We treat security reports with priority and never blame the messenger. Send full details to hello@avelto.app — include reproduction steps, scope, and any PoC. We respond within 48 hours and aim to remediate in-scope issues within 14 days.