Security

Security is the product.

Polimorf hosts the dashboards your clients run their business on. We treat that responsibility seriously. This page is a working summary of how we protect your data.

Organization isolation

Each organization gets its own Postgres schema, its own pool, and its own routing entry. Cross-organization access is blocked at the database layer, not just the row.

  • Per-org schema + dedicated connection pool
  • Schema-aware migrations run independently per organization
  • No shared row IDs across organizations

Authentication

Short-lived access tokens in memory, refresh tokens in HttpOnly cookies. MFA on every account. SSO ready.

  • TOTP-based MFA with recovery codes
  • SSO via OIDC (SAML on the roadmap)
  • Session-bound CSRF sentinel headers

Application security

Hardened defaults. Strict CORS. Audit logs. Rate limiting and abuse protection at the gateway.

  • Per-site dynamic CORS with refcount tracking
  • Rate limiter and abuse middleware outermost in the stack
  • Audit log of every privileged action

Data protection

Encryption in transit and at rest. Backups encrypted, region-scoped, and rolled off on a defined schedule.

  • TLS for every public request
  • Encryption at rest on managed Postgres + object storage
  • Backup retention with 30-day rollover

Observability

Structured logging, request metrics, error tracking. Investigations move fast because data is fast.

  • Structured JSON logs
  • Per-request metrics + traces
  • Error grouping with environment + actor context

Incident response

Documented runbooks. Notification SLAs. Customer-facing post-mortems.

  • On-call rotation for production
  • 72-hour breach notification commitment
  • Public post-mortems for material incidents

Compliance

Where we stand today.

We are an alpha-stage platform. Some certifications are aligned today; others are on the roadmap. Status is published here as it evolves. no waiting for an enterprise sales call.

  • GDPRAligned
  • CCPAAligned
  • SOC 2 Type IIIn progress
  • ISO 27001On roadmap

Report a vulnerability

Researchers welcome. Email security@polimorf.com. We respond within two business days and credit disclosures in the changelog.

Trust center

Sub-processor list, DPA, status page, and incident archive at the trust center.