Security Dossier
How Orbrik
protects your data.
Six controls. No ambiguity. Every statement on this page refers to shipped, verified code — not roadmap, not intent.
CONTROL 01
Capture
Data enters through five verified channels only.
Five ingest paths — no others
WhatsApp · LINE · Voice notes · Meetings · In-app capture. No email ingest. No Slack. No Notion. No calendar sync. What isn't listed doesn't exist.
Channel opt-in before first message
Each channel requires explicit opt-in verification. Unknown senders are rejected at the gateway before any data is written.
Low-confidence review gate
Captures that cannot be confidently attributed are held in the Needs You queue for founder review. Nothing enters the system without a verified origin.
CONTROL 02
Isolation
Every organisation's data is isolated at the database layer.
RLS on organisations (Option D)
Row-Level Security enforced on the organisations table. Policy: membership-join OR current-org OR owner-account. Fail-closed when the session GUC is unset. Migration 0029.
RLS on org_memberships (Option C)
Account-keyed RLS on the org_memberships table. An authenticated account can only read its own membership rows. Migration 0031.
No human API path holds BYPASSRLS
Only the background worker (orbrik_worker) runs with BYPASSRLS — for scheduled jobs that must read across orgs. Every human API path is RLS-enforced with no exceptions.
Cross-org guard on every path parameter
Path org_id is compared to the authenticated request context at every endpoint. A member of Org A cannot read Org B's data — even with a valid JWT and a known UUID.
CONTROL 03
Storage
One database. Daily backups. Restore-tested.
PostgreSQL with pgvector
All business data stored in a single PostgreSQL instance with the pgvector extension for semantic search embeddings. No data leaves the primary store during normal operation.
Object storage with enforced timeouts
File attachments use R2/S3 via boto3 with explicit timeouts: 5s connect · 30s read · adaptive retry 3×. No silent hangs.
Daily backups via pg_dump → R2
pg_dump -Fc runs on a systemd timer. Each backup is uploaded to R2 and old copies are pruned on a rolling schedule.
Restore-tested
The restore procedure runs against a throwaway pgvector/pg16 environment. Last verified: 1,238 organisations restored clean.
CONTROL 04
Access
Two independent gates. Either alone denies access.
require_account
Validates the JWT and checks account suspension. A suspended account is denied before any org check runs — independently of org state.
require_org
Validates org membership and checks org suspension. A suspended org is denied regardless of account status.
Independent suspension precedence
Account suspension and org suspension are architecturally independent. Neither unsuspends the other. Both gates must pass for any request to proceed.
require_super_admin
Platform operations pass a third gate with no cross-escalation. Super-admin access cannot be derived from founder or org-owner status.
CONTROL 05
Audit
Every platform action is logged. Append-only. Immutable.
platform_audit_log — append-only
The audit table has no UPDATE path and no DELETE path. The writer role (orbrik_worker) holds SELECT + INSERT only. Schema-level tamper resistance.
Atomic commit
The audit row and the state change commit in the same database transaction. A mutation with no audit entry cannot exist.
Actor identity preserved past deletion
actor_account_id is NULLABLE ON DELETE SET NULL. If an actor's account is later deleted, the audit row survives intact — the record outlives the actor.
CONTROL 06
Founder Controls
Nothing runs in your business without your approval.
T2 invariant — architectural, not a setting
No agent output is applied to your business without explicit founder approval. This is not configurable — there is no auto-apply path in the codebase.
Approve or reject. Nothing in between.
Every agent draft routes to the Needs You queue. Two exits: Approved or Rejected. The agent waits. Nothing proceeds until you decide.
Suspension is reversible and audited
Account and organisation suspension are independently enforceable and reversible by the platform operator. Every change is logged to the audit trail.
Your account state is always readable
Founders retain read access to their own account state at all times. No background process modifies your data without an audited, approved trigger.
End of Dossier
Open your workspace→