ADCG is a multi-tenant platform with strict data isolation guarantees. Tenant data never leaks — not through application bugs, not through database queries, not through shared caches.
Every tenant operates in a logically isolated environment:
Tenant isolation is enforced at the PostgreSQL level using RLS policies:
-- Every tenant-scoped table has this policy
ALTER TABLE evidence ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON evidence
USING (tenant_id = current_setting('app.tenant_id')::uuid);
The app.tenant_id session variable is set from the authenticated API key — not from request parameters. Even if the application layer has a bug that passes the wrong tenant ID, the database rejects the query.
| Data Type | Storage | Retention | Encrypted |
|---|---|---|---|
| Evidence artifacts | PostgreSQL (immutable) | Per-plan (30d–unlimited) | At rest (AES-256) |
| Run manifests | PostgreSQL | Same as evidence | At rest |
| Submission files | Object storage (temporary) | Deleted after run completion | In transit + at rest |
| API keys | PostgreSQL (hashed) | Until revoked | Bcrypt hash |
| Policy definitions | PostgreSQL (versioned) | Indefinite | At rest |
| Audit logs | PostgreSQL (immutable) | Indefinite | At rest |
Tenants can export:
All exports are tenant-scoped. There is no mechanism to export another tenant's data.
Two mechanisms prevent evidence tampering:
UPDATE and DELETE operations. Even with direct SQL access, evidence rows cannot be modified or removed without disabling triggers (superuser-only, logged).Enterprise tenants can configure data residency: