All documentation

Legal

Security

Authentication, isolation, and security practices in Version 1.

Security overview

AllSide Fusion is designed for multi-tenant SaaS with strict workspace isolation.

Authentication

  • Email and password sign-in via Supabase Auth
  • Email confirmation required for new accounts
  • Session cookies with secure defaults
  • Password reset via email

Workspace isolation

  • Each workspace's data is scoped by workspace ID
  • Row-level security (RLS) policies enforce tenant boundaries in the database
  • API routes validate workspace membership before returning data

Roles and access

  • Role-based access control (RBAC) for Owner, Administrator, and Staff
  • Client portal users limited to their client scope
  • Platform admin routes restricted to AllSide Systems operators

Transport and headers

  • HTTPS enforced in production
  • Security headers including Content-Security-Policy on all routes
  • Stricter CSP on public intake forms

Data storage

  • Application data in Supabase (PostgreSQL)
  • File storage in workspace-scoped buckets with quota enforcement
  • Backups managed at the infrastructure provider level — see operational runbooks

Public intake

Public intake forms are workspace-scoped. Submissions do not expose other workspace data. Rate limiting and validation apply to public endpoints.

Reporting issues

Report security concerns to support@allsidefusion.com. Do not disclose vulnerabilities publicly before we have had a chance to respond.

Compliance

Version 1 provides operational security suitable for SMB client operations. Formal compliance certifications (e.g. SOC 2) are on the future roadmap — not part of Version 1.