AE Compliance

IT & Security

Tenant isolation that doesn't depend on the application getting it right.

A multi-tenant compliance ledger is a natural target for a cross-tenant data leak. Isolation here is enforced by Postgres Row-Level Security, not by an application-layer WHERE clause that could have a bug.

Database-enforced isolation

Even the table owner is policy-bound.

Row-Level Security is enabled with FORCE, under a two-role model, so a policy gap in application code can’t become a cross-tenant read. The isolation boundary lives in the database, where it can’t be bypassed by a missing filter three layers up the stack.

postgresql
ALTER TABLE ae_compliance.invoice_ledger
FORCE ROW LEVEL SECURITY;
 
CREATE POLICY tenant_isolation_ledger
ON ae_compliance.invoice_ledger
USING (tenant_id = current_setting('app.current_tenant_id')::uuid);

The rest of the security surface

Every layer designed to fail closed.

Envelope-encrypted ASP credentials

Tenant-supplied ASP credentials (BYOK) are AES-256-GCM envelope-encrypted. The key-encryption key lives outside the database — in production, in a service like AWS KMS.

TLS-only ingress

TLS 1.2/1.3-only; plain HTTP is dropped at the edge, not redirected.

Signed, replay-protected webhooks

HMAC-SHA256-signed webhooks in both directions, with timestamp freshness windows and nonce replay protection on inbound ASP callbacks.

Tamper-evident by design

The audit trail is append-only and trigger-enforced at the database — there's no application code path that can rewrite history.

Data residency

Deploying in the UAE region.

Deployment to AWS me-central-1 is in progress — residency built into the deployment target from the start, not retrofitted after a customer asks where the data lives.

Review the isolation model against your own security checklist.