Security

Security at 1CAnalog is not a feature — it is the foundation. Highlights below.

Tenant isolation

Every tenant-scoped query runs under PostgreSQL Row-Level Security. Cross-tenant access is impossible at the database layer, not just the application layer. A non-privileged runtime role enforces this — a startup guard refuses to boot on a bypass-capable role.

Encryption

TLS in transit, AES-256 at rest. Daily backups, encrypted, with point-in-time recovery on Business+.

Audit

Every mutation is recorded in an immutable audit log with tenant_id, user_id, before/after diff. Visible to admins in /admin/audit.

Authentication

Clerk-backed: passwordless, social, SSO on Enterprise. JWT-bridged for mobile clients.

Disclosure

Report vulnerabilities to security@1canalog.app. We acknowledge within 48 hours.