Security
Security is the product.
Polimorf hosts the dashboards your clients run their business on. We treat that responsibility seriously. This page is a working summary of how we protect your data.
Organization isolation
Each organization gets its own Postgres schema, its own pool, and its own routing entry. Cross-organization access is blocked at the database layer, not just the row.
- Per-org schema + dedicated connection pool
- Schema-aware migrations run independently per organization
- No shared row IDs across organizations
Authentication
Short-lived access tokens in memory, refresh tokens in HttpOnly cookies. MFA on every account. SSO ready.
- TOTP-based MFA with recovery codes
- SSO via OIDC (SAML on the roadmap)
- Session-bound CSRF sentinel headers
Application security
Hardened defaults. Strict CORS. Audit logs. Rate limiting and abuse protection at the gateway.
- Per-site dynamic CORS with refcount tracking
- Rate limiter and abuse middleware outermost in the stack
- Audit log of every privileged action
Data protection
Encryption in transit and at rest. Backups encrypted, region-scoped, and rolled off on a defined schedule.
- TLS for every public request
- Encryption at rest on managed Postgres + object storage
- Backup retention with 30-day rollover
Observability
Structured logging, request metrics, error tracking. Investigations move fast because data is fast.
- Structured JSON logs
- Per-request metrics + traces
- Error grouping with environment + actor context
Incident response
Documented runbooks. Notification SLAs. Customer-facing post-mortems.
- On-call rotation for production
- 72-hour breach notification commitment
- Public post-mortems for material incidents
Compliance
Where we stand today.
We are an alpha-stage platform. Some certifications are aligned today; others are on the roadmap. Status is published here as it evolves. no waiting for an enterprise sales call.
- GDPRAligned
- CCPAAligned
- SOC 2 Type IIIn progress
- ISO 27001On roadmap
Report a vulnerability
Researchers welcome. Email security@polimorf.com. We respond within two business days and credit disclosures in the changelog.
Trust center
Sub-processor list, DPA, status page, and incident archive at the trust center.