Tenant isolation
@nebutra/tenantRequest-scoped tenant context (AsyncLocalStorage) plus Postgres Row-Level Security policies for hard tenant isolation at the database layer.
Security
Security as code, not as claims.
The Sailor skeleton ships with audit logging, tenant isolation, encryption, and permission primitives as installable packages — not slideware.
Built-in capabilities
Each item below is a package in this repository. Audit our source on GitHub.
Application-layer encryption
@nebutra/vaultEnvelope encryption with AWS KMS for customer secrets. Plaintext never leaves the application boundary; rotation-aware data encryption keys.
RBAC & ABAC
@nebutra/permissionsCASL for in-process role/attribute checks; OpenFGA adapter for Zanzibar-style relationship graphs at enterprise scale.
Structured audit logging
Integration WIP@nebutra/auditConsistent AuditEvent format with actor / action / resource / outcome attribution. Architecture in place; production integration in progress.
Multi-provider auth
@nebutra/authPluggable Clerk / Better Auth / NextAuth backends — pick the right identity layer for your compliance posture without rewriting app code.
Secrets at the boundary
env validation + @nebutra/vaultRequired env vars validated at process start (Zod schema). Application secrets are decrypted on demand, never persisted to logs.
Compliance posture
We list current state plainly — what is in place today versus what is on the roadmap. No badges we have not earned.
GDPR / UK GDPR data handling
AlignedDPA available on request. Data subject access and deletion workflows in app.
SOC 2 Type II
On roadmapNot currently certified. Architecture designed to support SOC 2 controls; formal audit planned.
ISO 27001
On roadmapNot currently certified. Tracking ISMS scope alongside SOC 2.
HIPAA-ready architecture
Subject to BAAAudit logging, RBAC, and encryption primitives in place; a Business Associate Agreement is required for covered entities.
PIPL (China)
SupportedChina-compatible providers (Bailian, Volcengine, SiliconFlow) supported for in-China data residency.
Need our DPA, a security questionnaire, or a chat?
We respond to security inquiries within one business day. For DPA requests, attach your draft or use ours.