Encryption everywhere
All traffic is HTTPS-only with HSTS. Documents in storage are AES-GCM encrypted with a unique per-tenant key derived via HMAC-SHA256 from a master key. Database backups are encrypted at rest by Cloudflare D1.
Security & trust
Your clients\' data is your reputation. Here's how we treat it.
Modern auth
Magic-link sign-in (no password storage by default). Optional password is PBKDF2-SHA256 with 100k iterations. JWT access tokens with 15-minute TTL; refresh tokens in __Host- cookies. SAML SSO available on Enterprise.
Per-tenant isolation
Every request is gated by the tenant ID in the JWT. Data sources, dashboards, members, documents — all rows in the database have a tenant_id; queries can't cross the boundary. Subdomains are CORS-validated against the tenant's registered domains.
Full audit log
Every admin mutation — workspace create, dashboard publish, document upload, member invite, billing change — lands in an append-only audit log with actor, IP, user-agent, and before/after JSON. Exportable on Enterprise.
Data residency
Adholics runs on Cloudflare's global edge. Pro and Enterprise customers can pin data to US, EU, or APAC regions. Enterprise also supports per-customer dedicated databases.
Compliance posture
GDPR-aware (data export and deletion endpoints, DPA available). SOC 2 Type II audit in progress — target completion Q4 2026. ISO 27001 on roadmap.
Reporting a vulnerability
Found a security issue? We take it seriously. Email [email protected] with details. Please don\'t publicly disclose until we've had a chance to respond (we aim for 48 hours).
We don\'t currently run a paid bug bounty, but we'll publicly thank responsible researchers and send Adholics swag.