Trust center
The artifacts your CISO will ask for.
Honest scope. We say implemented when the mechanism exists in the split proof, in progress when it is drafted, and planned when the work has a clear owner. Nothing is listed to fill a row, and every implemented claim names the mechanism that enforces it.
Isolation invariants
Four things the schema enforces, not the application.
The strongest isolation claims are enforced at the database schema level, not by application-layer filtering. These four invariants hold even if a future code bug forgets a WHERE clause.
- One tenant cannot read another's data.
tenant_id is a non-nullable column on every table. Unique constraints lead with tenant_id. No query without a tenant_id clause can return cross-tenant rows.
Enforced at schema layer; verified by tenancy-auditor conformance test on every PR.
- One environment cannot see another's entities.
environment_id FKs are scope-enforced. A command targeting environment A cannot reference an entity created in environment B.
Environment scope test runs in the integration suite against a real Postgres instance.
- No state change bypasses the command layer.
There is no admin DB endpoint, background job, or migration that writes entity state outside a command. All writes resolve through the command-receipts table.
Tier boundary contracts forbid direct DB writes from non-command packages; checked by the contract suite on every CI run.
- Receipts cannot be altered after the fact.
The command_receipts table has no UPDATE or DELETE path. Receipts are appended on command execution and read by the replay and audit surfaces. The schema has no soft-delete column on this table.
Schema DDL has no UPDATE trigger; GraphQL schema exposes no mutation for receipts.
Status
What is implemented, what is drafted, what is planned.
Each implemented item names the mechanism that enforces it. Each in-progress item names where you can get the current draft. Planned items have a clear owner with a timeline shared in the security review.
Tenant data isolation at the database layerImplemented Every table carries tenant_id as a non-nullable column and a leading key in every multi-column unique constraint. FK relationships are tenant-scoped. A query without a tenant_id clause cannot return another tenant's rows — the schema enforces this, not application-layer filtering.
Technical controlsCommand-sourced writes onlyImplemented No direct table writes exist outside the command layer. Every state change goes through an idempotent command with a CommandMetadataInput envelope carrying actor, scope, idempotency key, and policy context. There is no admin API that bypasses this path.
Tamper-evident command receiptsImplemented Every executed command writes a signed receipt to command_receipts with actor, scope, payload hash, policy decision, and version applied. Receipts are append-only; no update path exists on the receipt table. Deduplication is keyed on (tenant_id, command_type, idempotency_key).
Receipt exampleImmutable domain eventsImplemented Every material state change emits an immutable domain event. Events are append-only. Downstream systems (analytics, connectors, AI agents) replay from this stream without touching the write path. PII references are indirect; PII is never stored in event payload fields.
Approval boundary on risky actions (R2+)Implemented Commands are classified R0-R3 by risk. R2 commands (reservation cancellation, oversell policy change, allocation override) pause for named operator approval before execution. R3 commands (tenant config, mass-cancel) are human-only. AI agents follow the same risk classification; there is no agent-only fast path.
Approval surfaceEnvironment FK isolationImplemented Every tenant can have multiple environments (sandbox, staging, production). Environment scope is enforced at the FK layer: a command targeting environment A cannot read or write entities in environment B, even within the same tenant.
HMAC webhook signaturesImplemented Every outbound webhook delivery is signed with an HMAC-SHA256 signature over the payload. Receiving systems can verify the signature without storing a shared secret in the payload. Replay window enforcement prevents re-delivery attacks on the ingest surface.
Webhook surfaceEncryption in transit and at restImplemented TLS at the edge via managed certificates on GCP and Cloudflare. Postgres data encrypted at rest via GCP's storage encryption. Secret values are stored in GCP Secret Manager; never in environment variables or config files in the repo.
Agent identity and scope enforcementImplemented AI agents authenticate with scoped MCP keys bound to an agent identity record. The CapabilityResolver enforces what commands are available for the current actor, scope, and risk class at query time. Keys are tenant-scoped and revocable without a redeploy.
Agent runtimeConformance test suiteImplemented A conformance test bundle runs on every CI pass: tenant isolation invariants, tier boundary contracts, namespace contracts, schema-GraphQL parity, feature module discipline, and signal plane conformance. These are not unit tests; they are invariant checks that block a merge if any contract drifts.
Dependency supply chainImplemented Bun lockfile is committed and frozen on CI (--frozen-lockfile). The marketing site is the only surface with an npm dependency; all server-side packages use the Bun workspace. Dependabot PRs are reviewed weekly. No eval() or unsafe dynamic require() paths exist.
DPA and subprocessor listIn progress Drafted with counsel. Shared under NDA during security review. Public versions land when the review process is complete.
SOC 2 Type IIPlanned Trajectory shared in the security review. We do not claim a SOC 2 we do not have. Audit scope, timeline, and currently-applied controls are shared during the security review session.
ISO 27001Planned Planned after SOC 2, based on customer need and market timing.
Public status pageIn progress Public health and incident timeline for the operator console, API, and marketing site.
Legal artifacts
Privacy policy, DPA, and subprocessor list.
These documents are drafted with counsel and shared under NDA in the security review. Public versions land when the review process is complete.
Email security@karmanflow.com with your CISO checklist. We respond within two business days with the current artifacts.
Talk to security
Run a working session with engineers.
We open a 30-minute call, walk through the architecture and isolation model, answer your CISO checklist with current evidence, and share the security review packet under NDA.