Built like the audit's already here.

All traffic terminates on Cloudflare or Bunny.net at the edge with TLS 1.2 minimum, modern cipher suites only, HSTS preloaded. Internal service-to-service traffic stays inside the regional VPC and never traverses the public internet.

PostgreSQL volumes encrypted with Scaleway-managed KMS keys. Object Storage encrypted server-side with the same. Per-region key isolation: a key compromise in one region cannot affect another. Keys rotate automatically every 90 days.

Every meaningful action lands in the audit log; the chain is hash-linked so tampering with a past row breaks every subsequent entry. Daily Merkle roots are published to the workspace JWKS for end-to-end customer verification.

Every query is scoped by workspace id at the application layer; the workspace-resolver middleware filters by user membership to prevent slug collisions across customers. Object Storage uses per-workspace key prefixes; audit chains are per-workspace.

Memberships carry an enum role (owner/admin/member/billing) as the floor; custom roles add per-(content_type, field) read/write grants. The custom role can never expand past the enum baseline. Module-gated by advanced_rbac.

Default flow is magic-link via Resend (EU region). Passkeys (WebAuthn) lift the whole experience after first sign-in; the private key never leaves the user device. SAML/SCIM via WorkOS is a paid module, activated per-customer when needed.

The Studio uses Auth.js session JWTs decoded with the shared AUTH_SECRET. CLIs and integrations use per-workspace API keys with scope (read / read_draft / write / management). Plaintext shown once at issuance; the server stores SHA-256 hashes only.

Every webhook payload signed with the subscriber-specific secret. X-Estøkad-Signature header carries sha256=<hex>. Customers verify before acting on the body. Failed deliveries retry with exponential backoff; durable per-delivery audit history.

Production access requires hardware-key MFA. Engineers granted access on need-to-know basis; access reviewed quarterly and revoked on role change. No production database direct access; all reads happen through the audit-logged management surface.

Per-region Postgres uses continuous WAL archiving to Scaleway Object Storage with 30-day point-in-time recovery. Object Storage versioning enabled on customer assets. Backups stay in-region by default — no cross-region replication.

Customers can subscribe to the EU failover backup module (€299/mo) for a nightly encrypted copy to a designated secondary EU country. Cold-standby; the primary data plane stays primary-only. On a primary-region outage, customer-initiated promotion restores read/write within 4 hours. Off by default — enabling it is a contractual acknowledgement that the data leaves the primary region for backup purposes only.