Security & Data Isolation

Security That Scales with Multi-Tenancy

Running multiple directories on one platform creates a critical challenge: every organization’s data must be completely isolated from every other organization’s data. A leak between tenants isn’t just a bug — it’s a business-ending trust violation.

AI Magic Directory enforces data isolation at the database level using PostgreSQL Row-Level Security (RLS), with additional protections at the application layer.

Row-Level Security (RLS)

Every table with tenant-scoped data has RLS policies that filter results automatically based on the authenticated user’s organization. This isn’t application-level filtering that a bug could bypass — it’s a database-level constraint.

When an organization owner queries their listings, PostgreSQL itself ensures they only see rows belonging to their organization. The query SELECT * FROM listings returns different results for different users — enforced by the database engine before results leave PostgreSQL.

Key RLS protections:

• Listings — Organizations can only see and modify their own listings
• Leads — Leads are scoped to the organization that owns the listing
• Practices — Practice profiles are organization-scoped
• Billing data — Subscription and usage data is isolated per organization
• Audit logs — Each organization’s audit trail is private

Authentication

AI Magic Directory uses Supabase Auth for authentication:

• Email/password — Standard credential-based login
• OAuth-ready — Google, GitHub, and other providers can be enabled with configuration
• JWT verification — Every authenticated API request validates the JWT token server-side
• Service-role isolation — Administrative operations use a separate service-role key with elevated permissions, never exposed to the client

Anti-Abuse Protection

Public-facing endpoints are protected against abuse:

• Cloudflare Turnstile — Privacy-first CAPTCHA on lead forms. No puzzles, no tracking cookies. Blocks bots while allowing legitimate users through seamlessly.
• IP rate limiting — Configurable per-endpoint limits (default: 5 lead submissions per IP per hour). Prevents spam floods without affecting real users.
• Input validation — Zod schemas validate every API input server-side. Malformed requests are rejected with clear error messages before touching the database.
• Webhook signature verification — Stripe webhook payloads are verified against their cryptographic signature to prevent spoofed events.

Audit Logging

Every state change on the platform is recorded in a tamper-evident audit log:

action: "listing.approved"
actor_id: "admin-uuid"
target_type: "listing"
target_id: "listing-uuid"
diff: { "visibility": ["draft", "public"] }
created_at: "2024-01-15T10:30:00Z"

This provides a complete forensic trail for debugging, compliance reviews, and dispute resolution. The audit log is append-only — entries are never modified or deleted.

Infrastructure Security

• TLS everywhere — Traefik provisions Let’s Encrypt certificates automatically for every custom domain
• Container isolation — Docker containers run with minimal privileges
• Environment-based secrets — No credentials in code; all sensitive values flow through environment variables
• Supabase-managed database — Connection pooling, automatic backups, and security patches managed by Supabase

Compliance-Ready Architecture

While AI Magic Directory doesn’t claim specific compliance certifications, the architecture supports common compliance requirements:

• Data residency — PostgreSQL can be hosted in specific regions
• Access controls — Role-based access with audit trails
• Data deletion — Organization data can be purged on request
• Encryption — TLS in transit, Supabase encryption at rest

Why This Matters

In multi-tenant SaaS, security isn’t a feature — it’s the foundation. One data leak between tenants and your platform’s credibility is destroyed. AI Magic Directory’s defense-in-depth approach (RLS + authentication + rate limiting + CAPTCHA + audit logging) ensures that every layer has its own protection, so no single failure can compromise the system.