Tenant isolation at schema level.
tenant_id on every table, leading every unique constraint. No cross-tenant query is possible without a deliberate schema change — application filtering is a backup, not the primary control.
Security
Trust starts where actions are decided.
Every write goes through a command with a named actor, a policy check, and a tenant-scoped receipt. Tenant isolation is enforced at the schema layer. Approvals pause risky changes before execution. Receipts are append-only. There is no side door.
Controls in place
Nine implemented controls.
Each item names the mechanism, not the category. Tenant isolation is a category. Tenant_id as a non-nullable leading column on every unique constraint, enforced by the conformance test suite, is a mechanism.
Approval gates on risky writes.
R2 commands pause for named operator approval. R3 commands are human-only. Agents use the same risk class ceiling as humans. There is no agent-only fast path around approvals.
Append-only receipts and events.
command_receipts and domain_events have no UPDATE or DELETE path in the schema. The audit trail is physically append-only, not soft-deleted.
Managed cloud edge.
DNS, HTTPS termination, managed certificates, and WAF-managed ruleset sit in front of every public surface. Cloudflare handles marketing; GCP handles the operator console and APIs.
HMAC-signed webhook delivery.
Every outbound webhook is HMAC-SHA256 signed. The replay window (5 minutes default) is enforced server-side on the ingest surface. Delivery state and retry history are queryable.
Scoped agent keys.
MCP keys are bound to an agent identity record with explicit scope, environment, and risk class ceiling. Keys are tenant-scoped and revocable without a redeploy.
OTel tracing end-to-end.
W3C traceparent headers propagate through every command, event, webhook, and connector call. Every write in the system has a traceparent on the receipt. Grafana + Prometheus ship with the stack.
Secret Manager, not env vars.
Credentials and tokens live in GCP Secret Manager. Config files and environment variables in the repo contain no secret values. Bun lockfile is frozen on CI (--frozen-lockfile).
Conformance tests as security gate.
Isolation invariants, namespace contracts, schema-GraphQL parity, and tier boundary rules run as conformance tests on every CI pass. A drift in tenant isolation blocks the merge.
Honest scope
What we do not claim yet, and when we will.
We are early preview. The controls above are implemented in the split proof. SOC 2 is on the roadmap; the timeline and current evidence are shared in the security review session, not promised on this page.
No product data on the public site.
The marketing host has zero database access. Product access stays behind login on a separate host. The separation is architectural, not policy-enforced.
API, MCP, and webhook hosts are separate.
Each surface is a separate GCP Cloud Run service. A failure or breach in one path does not automatically affect the others.
Production claims are gated by evidence.
We do not publish performance or security numbers until they hold under production-like conditions. SOC 2 timeline and audit scope are shared in the security review, not on a marketing page.
Mail authentication enforced.
SPF, DKIM, and DMARC are configured for the karmanflow.com domain. SendGrid DKIM and click-tracking CNAMEs are provisioned. Domain takeover risk is managed before public launch.
The strongest security claim is one enforced by the schema, not the application. If we forget to add a WHERE clause, tenant isolation should still hold. That is why tenant_id leads every unique constraint and sits on every table.The KarmanFlow engineering team
Security review
Run a working session with our engineers.
We open a 30-minute call, walk through the isolation model and write boundary, and answer your CISO checklist with current evidence. DPA and subprocessor list shared under NDA.