Security by Design

On the Simple Platform, security is not a feature; it is the fundamental design principle upon which everything else is built. Our architecture incorporates best-in-class, zero-trust security practices at every layer to ensure your data, your logic, and your users are protected by default.

True Multi-Tenant Isolation

The Competitors' Compromise: The Illusion of Separation

Many SaaS platforms, including early and even some current enterprise systems, co-mingle customer data in massive, shared databases. They rely on application-level software queries — like adding a WHERE tenant_id = '...' clause — to create an illusion of data separation. This model is notoriously fragile and represents a constant, unacceptable risk. A single bug in an application's code or a misconfigured permission can inadvertently expose one customer's sensitive data to another.

The Simple Advantage: True Infrastructure-Level Isolation

Simple provides true multi-tenant isolation at the infrastructure level. This is not a software feature; it is an architectural guarantee.

• Isolated Databases: When a new tenant is provisioned, our Metadata Service orchestrates the creation of a completely separate, dedicated PostgreSQL database for that tenant.
• Isolated Credentials: Each tenant database has its own unique, securely generated credentials. At no point do services share database credentials across tenants.
• Isolated Execution: Every API request and logic execution is cryptographically scoped to a single tenant. Cross-tenant data access is architecturally impossible.

Identity and Access Management (IAM)

The Identity Service acts as the central authentication and authorization authority for the entire platform, enforcing the principle of least privilege.

• Tenant-Aware JWTs: The service issues standard, signed JSON Web Tokens (JWTs) that are cryptographically bound to a specific user and a specific tenant.
• Centralized Verification: Every service, including the Data API Gateway and Trigger Service, validates the JWT on every incoming request. This ensures that all actions are authenticated and authorized within the correct tenant context before any code is executed.

Centralized Secrets Management with a Secure Vault

Hardcoding secrets is a leading cause of security breaches in enterprise software. The Simple Platform eliminates this risk by integrating with a secure vault infrastructure as the central, immutable store for all secrets.

• No Hardcoded Credentials: Database passwords, third-party API keys, and internal signing keys are never stored in code, configuration files, or environment variables.
• Dynamic Secrets: Services authenticate with the vault using secure identities (like Kubernetes Service Accounts) to dynamically fetch the credentials they need at runtime. These credentials are short-lived and automatically rotated.
• Encryption as a Service: The platform leverages the vault's transit secrets engine to perform cryptographic operations (like encrypting sensitive fields marked :secret in your SCL). This means raw encryption keys are never exposed to the application services, even in memory.

This robust, multi-layered approach to security provides an enterprise-grade foundation you can trust by default.

Next Step

Learn about the scalable, resilient infrastructure that powers our secure platform.

→ Cloud-Native Infrastructure