Security claims you can verify in the code
Orosphinx handles real gold and real money. Our security posture is built on Postgres row-level security, audit-logged mutations, signed webhooks, and idempotent procedures — not on certificate logos.
How tenant data is protected
Security pillars
Tenant isolation by row-level security
Every business operates inside its own row-level security boundary in Postgres. The application role does not bypass RLS. Cross-tenant workers (PDPL, retention) use narrow SECURITY DEFINER functions reviewed in migrations.
- RLS policies on every tenant-scoped table
- Tenant context bound per request via app.current_tenant_id
- Application database role has no BYPASSRLS privilege
- Cross-tenant workers limited to one auditable function
Role-based access enforced server-side
The UI reflects permissions but never decides them. Every tRPC procedure checks role and entitlement before reading or writing.
- Roles: admin, manager, cashier, viewer, plus custom
- Per-route permission checks on every mutation
- Break-glass actions log a security event
- Entitlement-mode logging when enforcement is off
Encryption in transit and at rest
TLS 1.2+ everywhere. Webhook payloads carry an HMAC SHA-256 signature with timestamp and nonce. KYC identity fields use column-level envelope encryption.
- TLS for every API request
- HMAC v1 envelope on webhook deliveries
- Envelope-encrypted KYC PII columns
- Webhook secret rotation with previous-key fallback
Audit log: who, what, when, before, after
Every UPDATE, TRANSITION, and DELETE writes the pre-mutation state. Auth failures, PIN lockouts, key rotations, and break-glass actions write security events with severity.
- Append-only audit log on mutations
- Filterable by user, action, entity, branch
- Security events with severity for review
- Exportable for internal and external review
Backups and recovery
Continuous Postgres backups with point-in-time recovery. Shift close triggers an additional logical backup. Optional encrypted local backups are written by the store agent.
- Continuous PITR on the production database
- Logical backup on shift close
- Optional AES-256-GCM local copies on store PC
- Retention policies clean up old local files
Store agent hardening
The optional store agent that drives receipt printing binds to the local network only, uses constant-time API key comparison, and enforces strict request size limits.
- Local-network binding by default
- Constant-time API key comparison
- Request size and rate limits
- No customer PII in print payloads
ERP depth without leaving the platform
Workshop, ETA submission, KYC, AML, PDPL, scrap refining, and financial statements share one ledger and one audit log.
ETA e-invoicing
Submit e-invoices and e-receipts to the Egyptian Tax Authority. Pluggable signer (dev, KMS, or HSM), automatic retry with circuit breaker, and an immutable submission archive.
- Pluggable signer: dev, KMS, HSM
- Retry with circuit breaker
- Immutable submission archive
AML and KYC
Capture customer identity on threshold breach. Identity fields are stored with envelope encryption. SAR drafting and configurable thresholds.
- Envelope-encrypted identity columns
- Configurable transaction thresholds
- AML pattern detection and SAR drafting
PDPL workflows
Egypt's Personal Data Protection Law: deletion requests, data export requests, configurable retention, and a cross-tenant worker fenced inside a single SECURITY DEFINER function.
- Deletion and export requests
- Configurable retention per collection
Controls owners can verify
Row-level security, server-enforced roles, signed webhooks, and an audit log that captures before and after on every change.
Backups: continuous cloud, optional local
Postgres point-in-time recovery in the cloud and optional AES-256-GCM encrypted backups written to the store PC after each shift close.
- Continuous PITR on the database
- Optional encrypted local copies on the store PC
- Retention policies remove old local files
Denial-of-wallet protection
Per-tenant rate limits, daily caps, and emergency kill switches keep expensive operations under control.
- Per-minute and per-hour rate limits
- Daily caps per tenant
- Emergency kill switches for heavy operations
Hardened store agent
Optional desktop agent for receipt printing. Binds to the local network only, uses constant-time API key comparison, and enforces request size limits.
- Local-network binding
- Constant-time API key comparison
- Request size and rate limits
Egypt-native, ETA-ready
Designed against Egyptian Tax Authority e-invoicing, KYC thresholds, and the Personal Data Protection Law. Pluggable signer supports dev keys, KMS, or HSM.
Security and data
Onboarding, daily operations, security, commerce integrations, and Egyptian gold workflows.
Security and data
Still have questions?
Talk to usWant a security walkthrough?
We'll cover tenant isolation, audit log, webhook signing, and operational controls in detail.