Security

Security woven in, not bolted on.

Sutra holds the keys to your Salesforce orgs, so the platform is built to protect them at every layer — from the database row to the audit log. Here is how that works in practice.

Last updated 2026-05-29

  • Per-workspace isolation

    Every tenant-scoped table is protected by Postgres Row-Level Security with USING, WITH CHECK, and FORCE policies. The runtime database role cannot bypass RLS, so one workspace can never read or write another's rows — isolation is enforced in the database, not just the application.

  • Encrypted OAuth tokens

    Salesforce OAuth access and refresh tokens are sealed with KMS envelope encryption before they touch storage. The encryption context binds each ciphertext to its workspace, org, and kind, and that binding is immutable — tokens are never displayed back in the tenant UI.

  • Append-only audit chain

    Sensitive actions are written to a per-workspace SHA-256 hash chain. Each entry hashes the previous one, and UPDATE and DELETE are revoked on the audit table at the SQL layer, so history is append-only and tamper-evident — a daily verifier re-checks the chain.

  • OAuth-only Salesforce access

    Sutra connects to your orgs strictly over OAuth 2.0 using the official Salesforce SDK. We never ask for, see, or store your Salesforce password, and you can revoke a connection at any time from your end or ours.

  • Least-privilege roles

    Runtime traffic uses a constrained, NOBYPASSRLS database role. A separate elevated role exists only for schema migrations and the audit-chain verifier — the application path can never reach it, narrowing the blast radius of any single component.

  • Defense in depth

    Auth.js owns the session cookie and JWT; sessions can be revoked instantly and fail closed on the unknown. Secrets are redacted from logs by default, and idempotency keys guard every mutating endpoint against accidental replays.

Found something?

We welcome responsible disclosure. If you believe you’ve found a vulnerability, email us and we’ll work with you on a fix and coordinated timeline.

security@sutra.dev