Security & data architecture

How AethelLayer isolates tenant context end to end

Written for CTOs, CISOs, and engineering leads evaluating OAuth grants to finance, hiring, and engineering systems. No marketing copy — implementation boundaries, data minimization rules, and known gaps.

security@aethellayer.com Legal security policy

Least privilege Data pipeline Tenant isolation Compliance & infra Security FAQ

§1

Least privilege & data minimization

AethelLayer requests the minimum OAuth and API scopes required to compute operational telemetry. We ingest metadata, not source-of-truth dumps. We do not clone repositories, store raw issue bodies at scale, or persist vendor JSON blobs after normalization.

Integration	Requested access	Explicitly excluded
Greenhouse / Ashby	Read-only job, application, and pipeline metadata	Resume files, offer letters, or candidate PII blobs
Xero / QuickBooks	Read-only invoices, spend aggregates, AR aging	Bank account numbers, full GL exports, or tax IDs
Stripe / Ramp	Subscription counts, MRR aggregates, card spend totals	PANs, CVVs, or raw transaction memos with employee names
GitHub (ops connector)	Read-only repo metadata, PR state, commit timestamps	Source code, file contents, or secret scanning payloads
Jira (ops connector)	Issue keys, status transitions, cycle-time metrics	Issue descriptions with PII, attachments, or comment bodies
Slack	Channel metadata, slash commands, interactive approvals	Full message history export or DMs outside configured channels

Data ephemerality architecture

Ingested payloads are processed in memory, synthesized into typed metadata points, and raw vendor responses are discarded before the handler completes.

Step 1

Transient ingest buffer

OAuth and webhook responses land in a request-scoped memory buffer. No raw payload is written to object storage.

Step 2

Normalizer extraction

Ingestion services map vendor JSON into typed telemetry: amounts, dates, stage names, counts, and severity flags.

Step 3

Durable metadata only

PostgreSQL stores normalized rows keyed by workspaceId. Fields are finance, hiring, and risk metrics — not vendor dumps.

Step 4

Buffer discard

After successful upsert, the raw buffer is dereferenced. GC reclaims memory before the HTTP handler returns.

§2

Zero-trust data pipeline security

Data in transit uses TLS 1.2 or higher (TLS 1.3 at the edge CDN) with Perfect Forward Secrecy. Data at rest uses AES 256 GCM for integration secrets and MFA seeds. Enterprise pilots may bind encryption to AWS KMS customer-managed keys.

Figure 1 · Zero-trust ingest path

Customer stack

GitHub · Jira · Xero · Greenhouse APIs

TLS read-only

TLS 1.2+ (1.3 at edge)

Perfect Forward Secrecy · Read-only scopes

authenticated

Ingestion gateway

Auth session · Rate limits · Scope validation

normalize

Ephemeral engine

In-memory normalize · No raw persistence

normalize

Metadata store

AES 256 GCM credentials · workspaceId rows

✓ PFS cipher suites at CDN

✓ Raw payloads not durably stored

✓ Credentials encrypted at rest

Inference boundary

Claude API calls include only the compiled workspace snapshot for the authenticated request. Cache entries are keyed per workspace. Anthropic commercial API terms apply; we do not train on customer payloads.

§3

Absolute tenant isolation & anti-leakage

Cross-tenant leakage is mitigated at the session, API, ORM, RAG, and cache layers. Today isolation is enforced in application code with workspaceId predicates on every data path. PostgreSQL Row-Level Security is rolling out as defense-in-depth for enterprise tenants.

Figure 2 · Multi-tenant isolation

Client A

Workspace slug A

JWT session

Client B

Workspace slug B

JWT session

Unified API gateway

Middleware auth · requireWorkspaceMember · permission gates

Runtime context A

workspaceId = uuid-a

RAG · cache · ORM predicates

Runtime context B

workspaceId = uuid-b

RAG · cache · ORM predicates

PostgreSQL (shared cluster)

SELECT * FROM infra_spend WHERE workspace_id = $current_workspace

+ RLS policy (enterprise rollout): tenant_id = current_setting('app.tenant')

Edge & middleware

▸Auth.js signed JWT session validated before /dashboard and /api routes
▸Unauthenticated requests terminate with 401; no anonymous workspace access

API authorization

▸requireWorkspaceMember(slug, userId) on every workspace-scoped handler
▸Permission keys gate finance, hiring, risk, agents, and approvals independently

Application data plane

▸Every Prisma query includes workspaceId after membership resolution
▸RAG searchDocuments and ingestDocument filter WHERE workspaceId = :id
▸AI cache keys namespaced: finance-intel:{workspaceId}

Database defense in depth

▸Logical tenant isolation on shared PostgreSQL (Supabase) today
▸Enterprise tier: PostgreSQL RLS policies mirroring app predicates (rollout)
▸Optional dedicated database per tenant for regulated pilots

§4

Continuous compliance & infrastructure security

Containerized immutable deploys, segmented network paths to PostgreSQL, automated dependency gates in CI, and workspace-scoped audit logs. SOC 2 Type II is in preparation — not yet certified.

Immutable container deploys

Next.js application packaged as immutable Vercel/serverless artifacts. No SSH shells on running production instances.

VPC & network segmentation

Database reachable only over TLS from application subnets. Integration credentials never exposed to the browser after save.

Dependency scanning

npm audit and CI lint gates on every push. Dependabot/Snyk recommended for production org — enabled on request for pilot customers.

Audit & execution logs

Agent actions written to workspace-scoped ExecutionLog with severity. Operators can trace what ran and when.

SOC 2 trajectory

SOC 2 Type II preparation in progress. No certification claims until audit letter is issued.

Subprocessors

Anthropic (inference), Supabase/Postgres (data), Vercel (hosting), Upstash (optional cache). DPAs on request.

§5

Security FAQ

Direct answers for engineering evaluators. Ask follow-ups during pilot qualification or email security@.

What happens if an access token is revoked?

The next sync attempt fails with provider 401. We surface a disconnected integration badge in Settings. No stale token is used for inference; agents operate on last-known normalized metadata until you reconnect.

Do you store financial credentials?

OAuth tokens and API keys are stored encrypted (AES 256 GCM) when INTEGRATION_ENCRYPTION_KEY is configured. They are never returned to the client after initial save and are decrypted only inside server-side sync handlers.

Can Tenant A's context leak into Tenant B's Claude prompt?

No by architecture. buildWorkspaceContext, buildFinanceSnapshot, and searchDocuments all bind to a single workspaceId per request. There is no global retrieval index across customers.

Do you train models on our data?

We use the Anthropic API under commercial terms. We do not opt customer data into foundation model training. Your uploads are not pooled across tenants.

Is PostgreSQL RLS active today?

Primary isolation is application-enforced workspaceId predicates on every ORM path. PostgreSQL RLS is scheduled as defense-in-depth for enterprise deployments — ask for status during security review.

What metadata do agents actually see?

Compiled snapshots: infra spend by month, SaaS duplicate flags, AR aging, pipeline stage durations, compliance task severity — not raw vendor JSON or source code.

How do you handle a security incident?

Report to security@aethellayer.com. We triage by severity, notify affected customers without undue delay where personal data is impacted, and preserve logs for forensic review.

Can we get a deeper pack under NDA?

Yes. Architecture diagrams, subprocessor list, penetration test summary, and DPA templates are available during Private Pilot qualification.