Security overview
AllSide Fusion is designed for multi-tenant SaaS with strict workspace isolation.
Authentication
- Email and password sign-in via Supabase Auth
- Email confirmation required for new accounts
- Session cookies with secure defaults
- Password reset via email
Workspace isolation
- Each workspace's data is scoped by workspace ID
- Row-level security (RLS) policies enforce tenant boundaries in the database
- API routes validate workspace membership before returning data
Roles and access
- Role-based access control (RBAC) for Owner, Administrator, and Staff
- Client portal users limited to their client scope
- Platform admin routes restricted to AllSide Systems operators
Transport and headers
- HTTPS enforced in production
- Security headers including Content-Security-Policy on all routes
- Stricter CSP on public intake forms
Data storage
- Application data in Supabase (PostgreSQL)
- File storage in workspace-scoped buckets with quota enforcement
- Backups managed at the infrastructure provider level — see operational runbooks
Public intake
Public intake forms are workspace-scoped. Submissions do not expose other workspace data. Rate limiting and validation apply to public endpoints.
Reporting issues
Report security concerns to support@allsidefusion.com. Do not disclose vulnerabilities publicly before we have had a chance to respond.
Compliance
Version 1 provides operational security suitable for SMB client operations. Formal compliance certifications (e.g. SOC 2) are on the future roadmap — not part of Version 1.