Security at Chapman AI

How the platform is built. Plain answers to the questions a CTO or security lead will ask in procurement.

Tenant isolation

Every tenant-scoped table carries a tenant_id and is protected by a Postgres row-level security (RLS) policy that filters by current_setting('app.tenant_id').
The middleware sets app.tenant_id on every request after resolving the tenant from the host header (clientname.chapmanai.com or a customer custom domain).
Cross-tenant queries are rejected by the database itself, not just by application code — the defence-in-depth pattern recommended for multi-tenant SaaS.
Premium tier offers a fully dedicated Postgres database per tenant for customers who contractually require it.

TLS 1.2+ enforced on every external connection. HSTS preload eligible.
AES-256-GCM at rest. Per-tenant data encryption keys (DEKs) wrapped by a Key Encryption Key (KEK) held in Google Secret Manager.
Sensitive vault content is client-encrypted before it leaves the browser; the relay never sees plaintext.

Default: email magic-link or password.
Per-tenant SSO via WorkOS — SAML, OIDC, Google Workspace, Azure AD — flippable on for any tenant who needs it.
SCIM 2.0 user provisioning supported through the same integration.
JWT-based session tokens with secure refresh; tokens are scoped per tenant.

Zero Data Retention logging on the request path: prompts, responses, document content, and PII are never logged.
Audit log for security-relevant events (auth, role changes, vault access) — retained 12 months by default.
You can request a copy or deletion of your tenant’s audit data at any time.

GDPR — Chapman AI Ltd is a UK data controller with EU/UK data residency and per-tenant data deletion.
A Data Processing Agreement (DPA) is provided on request.
Cyber Essentials and ISO 27001 are on the roadmap; currently we operate to those standards but are not formally certified.

DPA, security questionnaire, network architecture diagram — get in touch and we’ll send what your team needs.