Skip to content
Platform · Security

Isolation and least privilege, built into the foundation.

Compass separates every business at the database level, scopes credentials tightly, and keeps audit records of what happened. Security is an architectural property here, not a feature bolted on later.

Core controls

How Compass protects tenant data

These controls apply across the platform, from the database layer up to the session in your browser.

Tenant isolation

Every business runs as an isolated tenant. Data access is scoped to the tenant at the infrastructure layer, not just filtered in application code.

Database isolation

Each tenant has its own database, so one customer’s data is physically separated from another’s rather than sharing tables.

Scoped API keys

API keys are scoped to a tenant and to specific capabilities, limiting what any single credential can reach.

Sealed provider credentials

Third-party provider credentials are sealed and stored so they are protected at rest and used only when needed.

Server-side sessions

User sessions are managed server-side, reducing exposure compared to trusting long-lived tokens in the browser.

Password hashing

Passwords are stored using strong one-way hashing — never in plain text.

Accountability

Audit records and deliberate data routing.

Compass keeps audit records of significant actions so there is a trail of what changed and who changed it. Data routing is deliberate — traffic and storage are directed with tenant boundaries in mind rather than left to chance.

  • Audit records for significant actions
  • Deliberate, tenant-aware data routing
  • Least-privilege access to tenant resources
  • Sealed credentials for third-party providers
Infrastructure

Running on Cloudflare’s global network.

Compass is built on Cloudflare infrastructure, inheriting a hardened, globally distributed platform. Our subprocessor list documents the third parties involved in delivering the service.

View our subprocessors
  • Cloudflare-native compute and storage
  • Globally distributed by design
  • Published subprocessor list
  • Data-processing terms available
Incident reporting

A clear path when something needs attention

If you believe you have found a security issue, we want to hear from you. Reach our team through the contact page and we will follow our incident-response process. A more formal security center will follow as larger clients begin evaluating Compass.

Evaluating Compass for a security review?

We are glad to walk your team through isolation, credential handling, and our data-processing terms in detail.