Platform Security

    Security &
    Channel Integrity.

    Your data stays isolated. Your channels stay clean. Built for MSPs who answer to compliance officers.

    Row-level isolationAES-256 + Supabase VaultAudit log per tenant
    How RLS Works

    Four steps from sign-in to isolated rows — Postgres runs them all.

    1. Tenant signs in
      Supabase Auth issues a JWT · scoped to company_id
    2. Every request carries scope
      JWT travels with the query · no anonymous reads
    3. Postgres RLS enforces
      Policy auto-filters at the DB · not app code
    4. Cross-tenant returns 0 rows
      No admin override · no escape hatch
    Data Isolation

    Complete Data Isolation

    Your data is never commingled with another company's data. Period.

    How It Works

    Company A

    Leads, campaigns, keys, users

    RLS Wall

    Company B

    Leads, campaigns, keys, users

    Row-Level Security enforced at the Postgres level — not application code.

    Row-Level Security (RLS)

    Every table has RLS policies enforced by Postgres itself. Queries are automatically scoped to the authenticated user's company_id. There is no application-level bypass — the database rejects unauthorized access before your query ever runs.

    No Shared Tenancy

    Each company's leads, campaigns, API keys, and user data exist in complete isolation. Company A cannot access, query, or even detect Company B's data — by design, not by convention.

    Scoped at Authentication

    Every authenticated session carries the user's company_id in the JWT. All downstream queries are automatically filtered. There is no 'admin override' that exposes cross-tenant data.

    Access Control

    Authentication & Access Control

    No self-signup. No shared credentials. Every user is provisioned by an admin.

    Invite-Only Access

    • No public registration
    • Admin provisions every user
    • Email verification required
    • Session tokens with automatic refresh

    Role-Based Access (RBAC)

    • internal_admin — platform operators
    • client_admin — manages their company
    • client_user — standard team member
    • Roles stored in separate security table

    Session Security

    • JWT-based authentication
    • Automatic token refresh
    • Server-side role validation
    • No client-side role checks
    Integrations

    CRM & PSA Integrations

    You connect your own CRM, PSA, or marketing platform. We request only the permissions we need, and your credentials are never visible to us — or anyone else.

    Credentials

    How Your Credentials Are Protected

    When you connect an integration, your API key or OAuth token is stored in Supabase Vault — an encrypted secrets manager built into the database layer. We never see or store credentials in plaintext.

    • AES-256 encryption at rest inside Supabase Vault
    • OAuth flows request only the scopes required — nothing more
    • Credentials decrypted only during secure edge function execution
    • Each company's integration credentials are fully isolated — no cross-tenant access
    • Revoking an integration deletes the key permanently from the vault
    Supported Stacks

    Supported Integrations

    Connect your existing stack — your data stays where it is, we just make it smarter. Each company manages its own integrations independently.

    ConnectWise PSA

    PSA platform — syncs contacts, companies & tickets

    Autotask / Datto

    PSA platform — bidirectional CRM sync

    GoHighLevel

    Marketing & CRM — lead enrichment & pipeline sync

    HubSpot

    CRM — contact enrichment & deal creation

    Microsoft 365

    Email & contacts — scoped OAuth access

    Google Workspace

    Email & contacts — scoped OAuth access

    Audit Trail

    Audit & Logging

    Every meaningful action is tracked. Who did what, when, and to which record.

    Activity Logging

    Lead status changes, email sends, campaign actions — all logged with timestamps and user attribution.

    Database Triggers

    Postgres triggers capture mutations at the database level, not the application level. No bypassing.

    Edge Function Logs

    Every serverless function execution is logged with request/response metadata for debugging and compliance.

    Change Tracking

    Version tracking on workflows, campaign configurations, and ICP profiles. See exactly what changed and when.

    Infrastructure

    Infrastructure

    Production-grade cloud infrastructure with encryption at every layer.

    Layer 01

    Database

    PostgreSQL on AWS via Supabase. Encrypted at rest (AES-256), encrypted in transit (TLS 1.2+). Automated backups with point-in-time recovery.

    Layer 02

    Edge Functions

    Serverless Deno runtime on AWS. Each function executes in an isolated environment. No shared memory or state between invocations or tenants.

    Layer 03

    Network Security

    TLS everywhere — API, database connections, webhook callbacks. No unencrypted traffic. CORS policies restrict cross-origin access.

    Layer 04

    Authentication Layer

    Supabase Auth with Gotrue. Bcrypt password hashing. JWT tokens with configurable expiration. Rate limiting on auth endpoints.

    Compliance

    Compliance Posture

    Our infrastructure is built on platforms that meet the most demanding compliance requirements.

    HIPAA-Capable

    Hosting infrastructure supports BAA agreements

    SOC 2 Type II

    Supabase infrastructure is SOC 2 certified

    AES-256 Encryption

    Data encrypted at rest and in transit

    GDPR-Aware

    Data handling designed for privacy regulations

    Audit Logs

    Complete action trail for every tenant

    Invite-Only Access

    No public registration surface

    A note on compliance claims: We don't claim certifications we don't hold. Our infrastructure provider (Supabase / AWS) holds SOC 2 Type II certification. Our platform is built to operate within HIPAA, GDPR, and CAN-SPAM frameworks. If you need specific compliance documentation, we'll walk through our architecture with your security team directly.

    Channel Protection

    Channel Purity & Market Protection

    We'd rather say no than degrade your results. If your market is already covered, we'll tell you.

    Geographic Limits

    We actively cap the number of MSPs targeting the same metro area. Oversaturation kills reply rates — we prevent it before it starts.

    No Competing Pipelines

    Your prospects never receive outreach from another AutomatedMSP client. Your pipeline is yours — there's no internal competition for the same inbox.

    Channel Effectiveness

    Cold email works because channels stay fresh. We've built high-performing infrastructure and we protect it by limiting volume per market.

    We May Say No

    If your target market already has strong coverage from an existing client, we'll be upfront. We won't onboard you into a saturated channel.

    Currently Accepting Limited Clients

    Limited Availability Per Market

    We cap the number of MSPs we onboard per metro area and vertical. This isn't artificial scarcity — it's how we keep deliverability high and reply rates strong for every client. If we're at capacity in your area, we'll add you to a waitlist and notify you when a slot opens.

    Talk to Us

    Ready for a Security Deep-Dive?

    Book a security review call. We'll walk through our architecture, answer your compliance questions, and share whatever documentation your team needs.