Security
Hold every workspace to one security posture.
Codexroom secures the data, isolates the tenants, audits every action, and authenticates every user. The detail below covers each layer.
Data at rest
AES-256 with managed key rotation.
All data encrypts at rest with AES-256. Database storage runs on Supabase Postgres with managed key rotation. Object storage runs on Supabase storage with the same encryption posture.
Data in transit
TLS 1.3 across every external endpoint.
TLS 1.3 across every external endpoint. HSTS enforced. Certificates managed through Let's Encrypt via the hosting provider.
Tenancy
Row-level security on every domain table.
Every domain table carries an organization_id column. Row-level security policies enforce tenant scope at the Postgres level. Every query runs through a tenant context helper that sets the active org, user, and role for the duration of the request. Application code never runs a manual WHERE organization_id = ? filter. The database does it.
Authentication
Clerk for sign-in, SAML / OIDC / SCIM on Enterprise.
Clerk handles user authentication. Sign-in across the apex and tenant subdomains shares a session through Clerk's satellite domain configuration. SSO with SAML, OIDC, and the common identity providers ships on the Enterprise plan. SCIM provisioning ships on Enterprise.
Authorisation
Three roles, owned by Codexroom.
Codexroom owns its own role model. Three roles: governor (holds the library), creator (composes decks), viewer (reads decks). Roles live in Codexroom's memberships table. The single permission gate is assertRole(allowed_roles) in every API route.
Audit log
Append-only. No update path. No delete path.
Every mutation writes an append-only audit log entry under the user who made the change. The log carries the actor, the action, the resource, the metadata, and the timestamp. The log has no update path and no delete path.
Share gates
Five gates per link, fail-closed, audit-logged on every rejection.
Every external share carries up to five gates the governor configures per link: password, IP allowlist, origin allowlist, country allowlist, email verification with a 6-digit code, and a view cap that self-revokes the share after the agreed number of opens. Each gate runs server-side, fails closed, and writes every rejection to the audit log under a structured gate.* code. Combined with per-recipient watermarks and the steganographic fingerprint, the gates give the security team a per-share, per-recipient, per-event posture for confidential decks.
Vulnerability management
Quarterly pen-tests. 24-hour critical CVE patching.
Quarterly third-party penetration tests. Dependabot on every repository. Critical CVE patching inside 24 hours, high inside 7 days. Bug bounty programme open to invited researchers.
Backups and recovery
Daily encrypted backups. RPO 24 h. RTO 4 h.
Daily encrypted database backups with 30-day retention on Pro and 90-day retention on Enterprise. RPO target 24 hours. RTO target 4 hours. Tested quarterly.
Incident response
72-hour customer notification on data incidents.
A documented response runbook. Customer notification inside 72 hours for any incident affecting customer data. Status updates on status.codexroom.com during the incident.
See it work