Workspace isolation
Every record carries your firm's workspace identity. Queries are scoped to that workspace on every request, and single-record lookups reject cross-tenant access outright.
Why it mattersYour client list and pipeline are visible to your firm and no one else, enforced in the data layer, not by convention.
Role-based access control
Six roles, from owner to read-only viewer, enforced in middleware. Administrative areas require explicit role checks, and the last owner of a workspace cannot be removed by accident.
Why it mattersA trainee can read the account plan without being able to delete it; billing and member management stay with the people accountable for them.
Hardened authentication
Passwords are hashed with salted PBKDF2 (100,000 iterations) and compared in constant time. Sessions are signed and expire. Google sign-in is available when your firm enables it.
Why it mattersCredential handling follows current published guidance rather than convenience.
Audit history
Sign-ins, invitations, role changes, imports, exports and settings changes are recorded per workspace with actor and timestamp.
Why it mattersWhen someone asks who exported the pipeline in March, there is an answer.
Encrypted transport
The application is served over HTTPS only. Secrets live in the deployment environment, never in the codebase.
Why it mattersData in transit between your team and the platform is encrypted as standard.
Controlled import and export
Excel import is validated row by row before anything is written. Export is available to authorised roles and recorded in the audit log.
Why it mattersYour data is yours to take with you, and its movement is visible to your administrators.
Invitation integrity
Workspace invitations are single-use tokens bound to the invited email address. OAuth flows carry anti-forgery state tokens.
Why it mattersJoining a workspace requires being invited to it, not guessing a link.