Security & Data Practices

Manifold Foundry is a multi-tenant platform. Each customer organization's data is logically isolated from every other organization's data. This isolation is enforced at the database layer, not the application layer.

• All database queries are scoped by organization identifier. There is no global query path that returns data across tenants.
• Row-level security (RLS) policies are enforced by the database engine (PostgreSQL). Even if application-level code contains a bug, the database will not return rows belonging to another organization.
• Facility-level data (devices, sensors, employee rosters) is further scoped within organizations. A user with access to one facility cannot query data from another facility unless explicitly granted.
• Shared infrastructure (authentication services, edge gateways) does not commingle tenant data. Authentication tokens, device registrations, and session records are all organization-scoped.

Access control follows two principles: role-based access control (RBAC) for coarse authorization boundaries, and attribute-based policies (ABAC) for fine-grained resource access. Both operate under the principle of least privilege.

Role-based access. Users are assigned roles within the context of a specific facility and organization. Roles determine which applications a user can access, which data surfaces are visible, and which actions are available. Roles are not global — a user with an ADMIN role at one facility has no implicit access to another facility.

Attribute-based policies. For sensitive resources (camera feeds, data exports, surveillance recordings), access is governed by a four-tier permission model: VIEW, REVIEW, EXPORT, and ADMIN. Each tier is a strict superset of the one below it. Permissions are scoped per camera, per server, or per facility — not granted globally.

Least privilege. Access grants are specific: per-app, per-facility, per-resource. Users do not receive broad access by default. Organization administrators can grant access to individual applications, and facility managers control which employees appear in device-authenticated environments.

Device authentication. Floor-level applications (inventory, fulfillment, cultivation) use device-bound PIN sessions rather than username/password authentication. Devices are registered to specific facilities. PIN sessions have configurable idle timeouts and fixed maximum durations. Each application on a shared device maintains an independent registration.

In transit. All data transmitted between clients and servers, between services, and between edge gateways and cloud endpoints uses TLS. Edge gateways communicate exclusively over HTTPS using outbound-only connections — no inbound firewall rules or port forwarding is required at facility sites.

At rest. Data at rest is encrypted by the underlying storage provider (PostgreSQL managed service with encryption at the storage layer). Application-level secrets and sensitive configuration values are stored in encrypted secret management services, not in environment variables or source code.

We do not store plaintext passwords, API keys, or device tokens in the database.

• User passwords are hashed using bcrypt with a work factor sufficient to resist offline brute-force attacks.
• Device tokens (used by IoT gateways) are stored as SHA-256 hashes. The raw token is generated once during provisioning, delivered to the device, and never persisted on the server side.
• Provisioning codes for new device registration are single-use, alphanumeric, and expire after one hour.
• Session tokens have explicit maximum lifetimes. PIN sessions expire after a configurable period (default: 8 hours). Management sessions are bound to browser lifetime with idle timeout enforcement.
• OAuth integrations (Google, Microsoft, Apple) use standard authorization code flows. Manifold Foundry does not store OAuth provider passwords or long-lived third-party tokens.
• Multi-factor authentication (TOTP) is available for all management-level accounts. TOTP secrets are stored encrypted. Backup codes are generated at enrollment and intended for one-time use.

Security-relevant events are logged with sufficient detail to support forensic review and compliance reporting.

What is logged. Authentication events (successful and failed), permission changes, access to sensitive resources (camera feeds, data exports, surveillance recordings), device provisioning and revocation events, and administrative actions (user creation, role changes, organization configuration).

What is captured. Each log entry includes: the acting user's identity, a timestamp, the action performed, the resource affected, the source IP address, and the user agent string. For authentication events, both successes and failures are recorded.

Immutability. Audit log entries are append-only. Application-level code does not provide a mechanism to modify or delete audit records. Logs are retained for the duration described in the data retention section below.

We maintain the tooling and procedures to respond to security incidents without requiring full system downtime.

• User sessions can be revoked individually or in bulk, forcing re-authentication.
• Device tokens can be invalidated immediately, disconnecting compromised edge gateways from cloud services.
• Gateway access can be revoked per-device, preventing a compromised facility gateway from publishing telemetry or receiving configuration.
• Organization-level access can be suspended without affecting other tenants.
• Audit logs provide the investigative trail needed to determine scope, timeline, and affected resources.

We do not currently publish a formal incident response SLA. If your organization requires specific response time commitments as part of a vendor assessment, we are willing to discuss this directly.

Operational data. Customer operational data (batches, orders, invoices, inventory records) is retained for the lifetime of the customer relationship. We do not impose arbitrary deletion schedules on data that may be required for regulatory compliance or business continuity.

Telemetry and time-series data. Environmental sensor readings collected by edge gateways are retained in the cloud database. Local buffers on gateway devices are automatically cleaned after 72 hours. Retention periods for cloud-side telemetry are configurable per deployment.

Audit logs. Audit log data is retained for a minimum period consistent with the regulatory requirements of the jurisdictions in which the customer operates. We do not delete audit logs on request, as they may be required for regulatory or legal purposes.

Account deletion. Upon termination of a customer relationship, we will delete or return customer operational data upon written request, subject to any retention obligations imposed by applicable law or regulation. We will confirm deletion in writing.

No data resale. Customer data is not sold, licensed, shared with third parties for marketing purposes, or used to train machine learning models. Your operational data exists to serve your operation.