Every insigz customer runs in their own database, their own service account, their own Cloud Run instance. There are zero cross-tenant query paths in production. Multi-tenant isolation is enforced at the infrastructure layer, not at the application layer.
Most "enterprise security" pages list 40 features. We list three things we organize the whole company around.
Every customer gets their own database, their own KMS keys, their own Cloud Run service. No shared pool, no multi-tenant escape hatches.
Append-only audit logs. Per-claim provenance from observation to report. If a regulator asks "where did this number come from?", we trace it back through events to signed source observations.
Customer data lives in Switzerland (zone europe-west6, Zürich) by default — or in whatever region you require, anywhere in the world. No mandatory US transit, no middleboxes you didn't approve, no Microsoft Graph paths touching customer data.
The detail that matters when your security team reviews us. Written for technical readers; we'll happily walk you through any of it on a call.
Every customer engagement runs in a single-tenant Postgres database with its own VPC, its own Cloud Run service account, and its own KMS keys. Tenant boundaries are enforced by infrastructure controls — IAM policies, network ACLs, KMS scoping — not by application-layer string comparisons.
This is more expensive than multi-tenant SaaS economics. We accept that cost because it's the only way the trust position holds.
In transit: TLS 1.3 only. HSTS preload, certificate pinning available on dedicated subdomains. Internal service-to-service traffic uses mTLS with rotated certificates.
At rest: AES-256 via Cloud KMS. Each tenant gets its own KMS key — we can't decrypt their data with our root credentials. Customers on Pro/Enterprise tiers can bring their own KMS key (BYOK).
Backups: Same KMS key as the primary database. Point-in-time recovery for the past 35 days; backups encrypted, region-locked.
OIDC integration with your identity provider (Okta, Microsoft Entra, Google Workspace, generic OIDC). MFA enforced for all roles. No password storage on our side; we never see credentials.
Authorization is enforced at the database via Postgres row-level security. Each role's visibility scope is a policy in Postgres, not a check in application code — bypassing the application layer (which we'd notice) still doesn't bypass authorization.
Every read, write, agent inference, and approval is recorded with timestamp, user, action, payload hash, and provenance chain. Logs are append-only and signed; tampering produces a verifiable integrity break.
Retention: engagement duration + 12 months minimum. Exports: machine-readable JSON or CSV on request. We don't sell or share audit logs; they're for you and your regulators only.
14.03.2026, no critical findings — report available under NDA)security@insigz.com · 30-day acknowledgment SLAWe list every sub-processor publicly at /legal#subprocessors. New sub-processors are announced at least 30 days before they go live. Customers receive email notice; right of objection per DPA.
An honest snapshot. Where we have certifications, we say so. Where we don't yet, we say so. We don't claim what we don't have.
Stated up front. The platform serves analysts in regulated sectors; accessibility is a procurement requirement, not a nice-to-have.
Tracked product-wide. Public VPAT (Voluntary Product Accessibility Template) available on request under NDA.
aria-live on chat streaming, table semantics on Bloomberg-grade listsprefers-reduced-motion