Tenant isolation — enforced in the database, not the application
Most multi-tenant breaches are application bugs: a missing WHERE org_id = …
clause. SMEPro removes that class of bug by construction:
- Every tenant-scoped table carries a PostgreSQL row-level security policy keyed to
the session's organization (
app.current_org). - The organization is set only from a cryptographically verified session token —
never from a header, parameter, or any other client-controlled input in production
(
REQUIRE_JWT=1). - Each API request runs in its own transaction with the tenant pinned for its duration. A query that "forgets" to filter still returns only that tenant's rows, because the database itself refuses to show anything else.
- The application's database role has least privilege: it cannot bypass RLS, cannot read credential hashes beyond what authentication requires, and cannot alter audit records.
Authentication
- Passwords are stored only as bcrypt hashes (work factor 10) and verified
inside the database by a
SECURITY DEFINERfunction — plaintext passwords never touch application logs or query traces. - Sessions are HMAC-SHA256–signed tokens (JWT) with a 12-hour expiry. Signature and expiry are checked on every request with constant-time comparison; tampered or expired tokens are rejected with no side effects.
- Signing keys and database credentials live in GCP Secret Manager and are injected at deploy time — never committed to code or images.
- Bootstrap credentials issued at provisioning must be rotated by the workspace admin; sign-in events are timestamped per user.
Audit trail — the application can't forget
Changes to filing obligations and submissions are recorded by database triggers, not by application code that might be skipped: who, what, and when are captured on every state transition. Submissions store the exact form version and validator findings they were checked against, so any filing can be reconstructed for an examiner exactly as it stood when filed. Catalog corrections are tracked in a regulatory change ledger visible in the product.
Infrastructure
| Layer | What runs there | Controls |
|---|---|---|
| Cloud Run (GCP) | Stateless API containers, non-root user | Autoscaling 1–20 instances; no state on disk; per-revision rollback |
| Cloud SQL PostgreSQL 16 | All tenant data, RLS, validators, audit | Regional high availability; encrypted at rest; point-in-time-recovery backups; private connectivity from the API via the Cloud SQL connector |
| Secret Manager | DB password, token-signing key | IAM-scoped access; versioned rotation |
| HTTPS Load Balancer | TLS termination for web + API | TLS 1.2+; Cloud Armor rate-limiting on authentication endpoints |
Region: us-central1 (Iowa, USA). This website itself loads no third-party scripts, fonts, or trackers — the entire page is first-party and static.
Data handling
- Encryption in transit (TLS) and at rest (Cloud SQL default AES-256).
- Customer Data is exportable in standard formats during the term and for 30 days after termination; deletion follows the schedule in the Privacy Policy.
- One subprocessor: Google LLC (Google Cloud Platform). No advertising or analytics vendors, anywhere.
- De-identified, aggregated metrics only for capacity planning — never filing contents.
Honest roadmap
Statements above describe what is built today. The following are planned, not yet in place — listed so you never have to guess:
- PLANNED SOC 2 Type II audit program
- PLANNED Single sign-on (OIDC/SAML) for enterprise workspaces, with SCIM user provisioning
- PLANNED Forced rotation of bootstrap credentials at first sign-in (today rotation is required by policy; enforcement is on the roadmap)
- PLANNED Customer-facing uptime/status page upon general availability
Responsible disclosure
If you believe you've found a vulnerability, email support@smepro.app with the subject "Security disclosure." We commit to acknowledging reports within 2 business days, will not pursue good-faith research conducted without accessing another tenant's data or degrading the service, and will credit reporters who want credit once a fix ships.