Security — Cavaridge

🔒 Encryption Everywhere

Every byte of data is encrypted in transit and at rest. No exceptions, no toggles, no "premium encryption tier." This is baseline.

✓ TLS 1.3 for all data in transit
✓ AES-256 encryption at rest
✓ Database-level encryption via Supabase (AWS RDS)
✓ Secrets managed in Doppler (dev/staging/prod)
✓ No plaintext keys in any repository

Encryption Status

Data in TransitTLS 1.3

Data at RestAES-256

Secret ManagementDoppler

Key RotationAutomated

Database ProviderSupabase (AWS)

HostingRailway

🏛️ Tenant Isolation

The Universal Tenant Model (UTM) enforces a 4-tier hierarchy at the database level using PostgreSQL Row-Level Security. No application code can bypass it.

✓ 4-tier model: Platform → MSP → Client → Site
✓ Row-Level Security (RLS) on every Supabase table
✓ Tenant context injected via secure session RPC
✓ 6-role RBAC enforced at data, API, and UI layers
✓ No cross-tenant data visibility — ever

Tenant Hierarchy

Tier 1Platform Admin

Tier 2MSP Tenant

Tier 3Client Tenant

Tier 4Site / Prospect

RLS PolicyAll Tables

Isolation ModelRow-Level

📋 HIPAA Alignment

Cavaridge is designed to support HIPAA-covered entities and their business associates. Compliance isn't a feature tier — it's a platform characteristic.

✓ BAA available at sign-up (Enterprise included, others add-on)
✓ Audit logging on all data access and modifications
✓ Access controls aligned to HIPAA minimum necessary standard
✓ Breach notification procedures documented
✓ PHI handling policies enforced at platform level
✓ Subprocessor list maintained and available on request

Compliance Posture

HIPAAAligned

BAAAvailable

SOC 2In Progress

Audit LoggingActive

Data ResidencyUS (AWS)

Need a BAA?

We can execute a Business Associate Agreement for your organization.

Request BAA →

Security questions?

We're happy to discuss our security posture, share our subprocessor list, or walk through our architecture.

Contact Security Team → Start Free Trial

Security is the foundation