Security
Trust is the conversion lever.
Cross-tenant leakage is the worst-case failure for a team workspace — and we treat it that way. Below are the five pillars we organize security work around, with honest status on every control. We'd rather show you what's in progress than ship a fake checkmark.
data
Data
Where it lives, who can read it, and how it leaves.
Data location
LivePrimary database is Supabase US-East. Edge cache only stores cookies + signed identity tokens. No PII outside US-East without explicit per-tenant request.
Encryption in transit
LiveTLS 1.3 on every Atelier surface (web, API, webhook ingress) via Vercel. HSTS preload. No mixed-content paths.
Encryption at rest
LiveAES-256 at the Supabase storage layer. Sensitive columns (HMAC subscription secrets, OAuth tokens) additionally Vault-encrypted at the row level.
Export + portability
RoadmapOrg admins can export every atelier_* row tied to their org as JSON via /admin/export — your flow definitions, runs, and traces are yours to take.
Deletion
LiveSoft-delete on archive; hard-delete on signed request within 30 days. We never delete data without explicit instruction from a verified org admin.
identity
Identity
One PC Studio identity, scoped per org.
Authentication
LiveSupabase Auth with magic-link email by default. OAuth (Google) optional. Sessions backed by signed JWTs in HttpOnly cookies with SameSite=Lax.
Single sign-on (SAML / OIDC)
EnterpriseSSO via the @pc/identity layer for Studio Enterprise customers. Available on Studio + Enterprise tiers.
Org membership + roles
Livepc_org_memberships scopes every user to one or more orgs with roles (owner / admin / member / viewer). Atelier project membership narrows further (lead / contributor / reviewer / observer).
Multi-factor auth
LiveTOTP MFA optional today; mandatory on Enterprise tier. Hardware key (WebAuthn) support on the v1.1 roadmap.
Audit log
Livepc_audit_log captures member changes, subscription changes, entitlement grants, and admin actions across PC Studio. Atelier-specific run + flow edits log to atelier_traces.
tenancy
Tenancy
Cross-tenant leakage is the worst-case failure. We treat it that way.
Row-Level Security on every tenant table
LiveEvery atelier_* table has RLS + FORCE enabled with org-scoped policies. NULLIF hardening means a NULL user_id never matches any tenant — not even by accident.
Postgres role isolation
LiveApplication queries run as pc_runtime, never as the superuser. Service-role writes happen only in tightly bounded server-only paths gated by an ESLint two-package boundary.
Cross-tenant attack grid in CI
LiveEvery PR runs a battery of cross-tenant attack patterns (org A user trying to read org B data via every entry point). The grid is the same one Sage and RFP Engine use.
Server-to-server scope preservation
LiveCalls from Atelier into Sage, Sentinel, RFP, Janice always carry org_id + TenantScope. No request can leak from one org into another mid-flow.
Dedicated tenancy option
EnterpriseEnterprise customers can run Atelier inside a dedicated Supabase project (separate from the shared PC Studios database) for additional isolation.
compliance
Compliance
No fake checkmarks. Status on each framework, honest.
SOC 2 Type II
In progressType I audit complete on PC Studio core (identity, billing, audit log). Type II observation period in progress for the full Atelier surface. Customer letter on request.
HIPAA
EnterprisePHI workloads require a BAA — Enterprise tier only, with hosting in a dedicated Supabase project. We will not sign a BAA on the shared tenancy.
GDPR / data subject requests
LiveProcess documented. Org admins surface DSR requests; we respond within 30 days. Mnemosyne (Sage memory) honors the right-to-erasure with verifiable purge.
FedRAMP Moderate
EnterpriseAvailable for federal-adjacent customers on Enterprise tier — dedicated tenancy + GovCloud-tier hosting through partner.
Subprocessor list
LivePublic list of subprocessors (Vercel, Supabase, Anthropic, OpenAI, Stripe, Resend) with data-flow notes. Updated quarterly.
operations
Operations
What we do when things go wrong.
Status page
Roadmapstatus.perpetualcore.com tracks Atelier alongside Sage, Sentinel, RFP, Janice. Incident updates posted within 15 minutes of confirmation.
Incident response
In progressOn-call rotation. Severity 1 acknowledgement within 15 minutes; remediation timeline communicated within 1 hour. Postmortem published within 5 business days.
Backup + recovery
LiveContinuous WAL-based backups via Supabase. RPO 5 minutes; RTO 4 hours on shared tenancy, 1 hour on Enterprise dedicated. Tested quarterly.
Security review for major changes
LiveNew step kinds, new product integrations, and any change touching tenancy boundaries pass a security review before merge.
Bug bounty
RoadmapCoordinated disclosure to security@perpetualcore.com. Formal bounty program landing on the v1.1 roadmap.
Reporting a vulnerability
Email security@perpetualcore.comwith a description, reproduction steps, and your contact for follow-up. We acknowledge within 24 hours and aim to remediate within 7 days for high-severity findings. Coordinated disclosure preferred — we'll work with you on publication timing.
A formal bug bounty program is on the v1.1 roadmap. Until then, we send swag and a shoutout in the changelog for valid reports.
Open a workspace
Stand up your team's first Flow this afternoon.
Atelier opens in fifteen minutes with five starter Flows and every Perpetual Core product already connected. Evaluate for fourteen days; bring your team when you're ready.