Tenant isolation
Every tenant's data is isolated at the database layer. Tenant ID is enforced on every query — not as application-level filtering, but as a structural constraint. A bug in one tenant's request path cannot leak data to another tenant.
- All queries include tenant_id scoping as a required condition
- No shared tables without tenant partitioning
- God Mode impersonation is audit-logged with actor, target, session token, and action — every entry is immutable
- Sandbox AI processes run in isolated child processes with allowlist-only environment variable access — database credentials are blocked by default
Role-based access control
HatchOS implements a 6-tier role hierarchy. Each tier inherits the permissions of the tier below it. Visibility controls are enforced at the data layer, not just the UI.
- Tier 1 — Agent (IC): own loads and commissions only
- Tier 2 — Agent (W2): own loads, limited account visibility
- Tier 3 — Senior Agent: team visibility, can see all assigned agents
- Tier 4 — Office Manager: full office visibility, carrier management
- Tier 5 — Admin: full tenant visibility, commission management, user administration
- Tier 6 — God Mode: cross-tenant platform administration (Hatchway Trade Group internal only)
Account visibility overrides allow granular per-user exceptions above the base role level. Shared account rules control which agents can see which shipper accounts across offices.
Authentication and session security
Password hashing
bcrypt with cost factor 12. Passwords are never stored in plaintext or reversibly encrypted.
TOTP 2FA
Time-based one-time passwords via authenticator app. Per-user enrollment, admin-enforceable.
Session versioning
session_version column on users table. Bumping it invalidates all active sessions instantly — no individual session enumeration required.
Rate limiting
In-memory sliding-window rate limiters on all auth endpoints (login, signup, OTP, password reset). Lockout events logged to security_events.
New-IP detection
auth_known_ips whitelist per user. New IP login triggers auth_anomaly_events and optional alert.
OAuth token encryption
All OAuth tokens (M365, integrations) stored AES-256-GCM encrypted in service_connections.metadata.
Audit logging
HatchOS maintains an immutable audit log of every state-changing action in the platform. Audit events record actor, action, target entity, before/after state, IP address, and timestamp. They cannot be deleted or modified by any user including God Mode administrators.
- Commission contract changes — every edit, with before/after state
- Settlement approvals and status transitions
- User role changes and permission overrides
- Feature flag changes with actor and timestamp
- God Mode tenant impersonation — actor, target tenant, session token, action
- Carrier banking information changes — full before/after audit trail
Infrastructure
- Render — application hosting; SOC 2 Type II; US-East region; auto-deploy from main branch with migration-first deploy order
- Neon PostgreSQL — managed serverless Postgres; point-in-time recovery; encryption at rest and in transit
- Cloudflare R2 — document and file storage via Polsia proxy; no public bucket URLs; all object access is signed and proxied
- TLS 1.2+ enforced on all endpoints; HTTP to HTTPS redirect at the edge
- All database queries use parameterized statements — no string-interpolated SQL
Data export and portability
Your data is yours. HatchOS supports CSV export for all major entity types — carriers, accounts, shipments, commission history — at any time, without vendor involvement. There is no exit fee or data portability charge.
Need more detail for procurement?
We'll walk your IT or security team through the full technical architecture in a dedicated call.
Schedule a Security Review →