Skip to content
Foundation CollabTrust

Trust

Security

Effective 2026-05-07.

Foundation Collab is built defensively. Tenant isolation is enforced at the database, not just in the application. Identity defaults to passwordless. Recordings are consent-gated. And every administrative action is audited.

Authentication

  • Microsoft OAuth, Google OAuth, WebAuthn passkeys, or email magic-link.
  • MFA required for HQ Owners, HQ Staff, and Parent Admins (TOTP or passkey).
  • Suspicious-login detection: new device fingerprint triggers email confirmation + step-up auth.
  • Session cookies are HttpOnly, Secure, SameSite=Lax, and (in production) scoped to the parent domain so a single sign-in covers HQ + Parent + Member subdomains.

Tenant isolation

  • Every tenant-scoped table has a tenantId column and a Postgres RLS policy.
  • The application sets app.tenant_id on the database session per request.
  • HQ-only operations use a separate connection with BYPASSRLS, only constructed inside HQ-flagged route handlers.
  • Integration tests assert that a query without app.tenant_id returns zero rows.

Application security

  • Strict CSP with nonces, no unsafe-inline.
  • CSRF protection on every mutating route (Auth.js for sessions, tRPC procedures validate origin).
  • Rate limiting via Upstash on auth, invites, message-send, and uploads.
  • File uploads use presigned URLs, MIME sniffing, ClamAV scanning, EXIF stripping.
  • HSTS, COOP, Referrer-Policy, Permissions-Policy. Cloudflare WAF in front.

Encryption

  • TLS 1.2+ in transit (Cloudflare termination + Vercel-managed certs).
  • Encryption at rest on Postgres (Neon-managed) and object storage (Cloudflare R2 / S3).
  • Secrets in Vercel env + Doppler/1Password; rotated quarterly.

Audit log

Every administrative action (publishes, deletes, reviews, exports, deletions, and Copilot tool calls) is recorded in an append-only audit log with a hash chain for tamper evidence. Retention: 2 years for HQ-scope rows, 1 year for tenant-scope rows.

Reporting a vulnerability

Email [email protected]. We acknowledge within one business day. If your finding is novel and reproducible we publicly credit you (with your permission) once it's fixed.