Enterprise-Grade Security
Your data is your most valuable asset. BizBrew protects it with database-level isolation, encrypted connections, and strict access controls — all enabled by default, with no extra configuration.
Security is not an add-on
In a multi-tenant platform, security isn't optional — it's foundational. Every layer of BizBrew, from the database to the API to the user interface, is built with tenant isolation and data protection as first-class requirements. You get the same security posture whether you're on the Starter plan or the Pro plan.
How We Protect Your Data
PostgreSQL Row-Level Security (RLS)
Every database table is protected by RLS policies that enforce strict tenant isolation at the query level. Even if application code has a bug, the database itself prevents cross-tenant data access.
Supabase GoTrue Authentication
Industry-standard authentication powered by Supabase GoTrue. Secure sign-up, login, password recovery, and session management with short-lived JWTs and automatic token refresh.
Role-Based Access Control
Granular permission system with four built-in roles: super admin, tenant admin, staff, and custom roles. Every API route and UI action checks the caller's role before proceeding.
HTTPS Encryption
All data is encrypted in transit with TLS. Custom domains receive automatic SSL certificate provisioning so your tenant's customers always see a secure connection.
Audit Logging
A complete audit trail records every significant action — who did what, when, and from where. Audit logs are immutable and available for compliance review at any time.
GDPR Considerations
Built-in data isolation per tenant, full data export capabilities, and support for deletion requests. BizBrew's architecture makes GDPR compliance straightforward, not an afterthought.
How Data Isolation Works
BizBrew uses a shared-database, isolated-tenant architecture. Every table includes a tenant_id column, and PostgreSQL Row-Level Security policies automatically filter every query to return only the data belonging to the authenticated tenant.
Request arrives
The middleware resolves the tenant from the domain or subdomain and attaches the tenant context to the request headers.
Authentication check
The API route verifies the user's JWT, confirms their membership in the tenant via the tenant_users table, and checks their role.
Database query with RLS
Every query is executed against a Supabase client scoped to the user's JWT. PostgreSQL RLS policies ensure only rows matching the tenant's ID are visible, regardless of what the application code requests.
Response returned
The filtered, tenant-scoped data is returned over an encrypted HTTPS connection. No tenant ever sees another tenant's data.
Start building securely
Every BizBrew account comes with enterprise-grade security out of the box. Create your free account and see it for yourself.