Security & Trust

This page outlines the security principles, controls, and operational practices that protect customer data on the Varity Systems platform.

Security by Design

• Tenant isolation is enforced at the database layer, not the UI or API layer.
• Authenticated requests always operate within a verified tenant context.
• Cross-tenant data access is structurally prevented by design.

Authentication & Session Management

• Short-lived JWT access tokens with rotating refresh tokens.
• Each refresh token represents a single logical session.
• Users and administrators can revoke individual sessions or all active sessions.
• Revoked sessions cannot be reused or restored.

Tenant Isolation Guarantees

• Tenant isolation is enforced post-authentication at the database access layer.
• Pre-authentication access is limited strictly to identity resolution flows (e.g. login, password reset).
• Any post-authentication access without tenant scoping is treated as a security defect.

Operational Security

• Security-relevant actions generate immutable audit and alert records.
• Administrative access is governed by role-based access control (RBAC).
• Sensitive actions such as session revocation and password changes are monitored and logged.

Compliance & Assurance

• The Varity Systems security architecture is aligned with SOC 2 Type II trust service criteria.
• Controls are designed and operated continuously throughout the reporting period.
• Additional audit evidence can be provided under NDA upon request.