Skip to main content
Voltara Systems

Security & data

Security and data, stated plainly.

Security pages are usually written by marketing and reviewed by nobody. This one is the opposite: a plain list of what the platform actually does with your data, which third parties touch it, and — at the bottom — what we deliberately do not claim.

§01 · ISOLATION

Per-tenant isolation, enforced in the database

Your records live in Supabase Postgres behind row-level security keyed to your tenant. Isolation is a property of the database, not a habit of the application code: every row carries its tenant, and the policy on the table refuses to return anyone else’s.

§02 · ACCESS

Seventeen roles, gated on the server

Access control runs through 17 roles, and the enforcement point is the server: an action your role does not permit is refused at the API, not merely hidden in the interface. Hiding a button is courtesy; refusing the call is security.

§03 · AUDIT TRAIL

Transitions on the record

State transitions are audit-logged — who, when, from what to what — and each transition captures a gating snapshot: the exact gate discipline in force at that moment. When a question arrives months later, the record answers as of the date it happened, not as of the rules today.

§04 · PAYMENTS

Card data never touches Voltara

Paddle.com is our merchant of record. Checkout, card collection, billing and applicable taxes run on Paddle’s systems — your card number is theirs to protect and ours never to see. Invoices and refunds follow Paddle’s processes and our published policies.

Refund & cancellation policy

§05 · YOUR DATA

Export on request, deletion honoured

The records you create are yours. Ask and we export them; ask and we delete them, subject to any legal retention duties. Requests go to support@voltarasystems.net — which is answered by the people who actually operate the database.

§06 · SUBPROCESSORS

Who else touches your data

Three subprocessors, each for a stated purpose:

  • Vercel hosting and cookieless analytics
  • Supabase EU-region Postgres [[PENDING: confirm region]]
  • Paddle payments, as merchant of record

§07 · DISCIPLINE

The release gate

204 automated smoke tests and a ±0.5% engine regression gate run before any release.

204

automated smoke tests gate every release

±0.5%

engine regression tolerance vs the validated baseline

What we do not claim

We do not yet hold SOC 2 or ISO 27001 certifications. Rather than imply them, here is what we actually do, stated plainly above. Formal certification is a funded roadmap item.

Questions about any of the above: support@voltarasystems.net.