Your clients' brands, properly separated.
Multi-tenant Row-Level Security. AES-256 encryption. Cloudflare WAF. GDPR-ready exports. Paddle Merchant-of-Record billing. The boring stuff, done right — so you can sell to enterprise clients without a 40-page procurement review.
Six layers, not one.
A request from your team passes through six independent security layers before it touches your data. A breach would have to defeat every one of them.
Edge
Cloudflare WAF + TurnstileEvery request passes through a global Web Application Firewall. Bots, credential-stuffing, and bad actors are filtered before they reach our servers.
Transport
TLS 1.3 end-to-endAll traffic — API, web, and real-time streams — is encrypted in transit with modern cipher suites.
Application
Helmet + HPP + CORS + rate limitingSecure HTTP headers, strict CORS allow-lists, global 100 req/min throttle, and per-user fair scheduling prevent abuse and noisy-neighbour effects.
Data
Supabase RLS + JWT custom claimsEvery row in every table is tagged with tenant and workspace IDs. Postgres Row-Level Security enforces tenant isolation at the database level — not just in application code.
Secrets
AES-256-GCM at restThird-party API keys and OAuth tokens are encrypted with a dedicated key and only decrypted in memory at the moment of use. Never logged, never cached.
Input
Zod schemas + magic-byte validationEvery API request is schema-validated. Every uploaded file is checked by MIME type, magic bytes, and size — SVGs are sanitised before storage.
Client data, cleanly separated.
Run 10 client brands in one account without ever risking a data crossover. Isolation isn't a setting — it's the architecture.
Tenant
The account that owns the subscription. Has its own tier limits, billing, and super-admin visibility.
Workspace
One per client brand. Its own Voice DNA, knowledge base, brand assets, content calendar, and AI history. Crossing between workspaces is an explicit, audited action.
Role
Owner → Admin → Multi-Account Manager → Member → Viewer. Every middleware request re-checks the user's role against the target workspace.
Row
Every query is filtered by tenant_id + workspace_id at the Postgres level via RLS policies. Even a bug in application code cannot leak data between clients.
Built for the due-diligence questionnaire.
GDPR-ready
Full data export on demand. 72-hour account-deletion grace period with one-click cancel. Cascade deletion across 26+ tables in FK-safe order — your data goes when you say it goes.
Global tax, handled
Billing runs through Paddle as Merchant of Record. VAT, sales tax, GST, and 40+ regional tax regimes are calculated, collected, and remitted for you — not by you.
Auditable by default
13 predefined audit categories captured to a dual-persistence trail — Pino structured logs plus a queryable Supabase audit table. Invites, role changes, deletions, exports: every material action is recorded.
Data minimisation
Logs scrub email addresses, JWTs, API keys, webhook secrets, and bearer tokens before leaving the server. PII never reaches Sentry. Error telemetry runs at 10% transaction sampling with replay only on session boundary.
When an upstream provider falters, your work doesn't stop.
Every upstream AI provider — Anthropic, Gemini, DataForSEO — sits behind a circuit breaker. If one degrades, the platform fails over, queues, or returns a clean error instead of a cascading outage. Requests are fair-scheduled per tenant, so no single customer can monopolise shared capacity.
Four commitments we don't hedge on.
- We do not train models on your content. Your knowledge base, voice profiles, and drafts stay in your workspace.
- You own your data. Export anything, anytime, in structured formats you can use elsewhere.
- We do not sell, rent, or share customer data with third parties for marketing.
- Your brand assets, voice DNA, and master prompts are workspace-scoped and never pooled across tenants.
See Luminar Forge in action
Start your 14-day free trial — no credit card required.