The wedge · attestable per-tenant isolation
Don't trust the filter.
Re-run the proof.
Every incumbent scopes tenants with a metadata WHERE-filter. We separate them physically and cryptographically — then hand you a signed receipt you can verify yourself.
Fig. 1 · the four controls, bottom-up
- 04Ed25519-signed attestationBuyer-runnable verify_isolation → signed receipt · public JWKS
- 03AES-256-GCM envelope encryptionPer-tenant key · tenant_id as AAD · fail-closed key material
- 02FORCE ROW LEVEL SECURITYOWASP-recommended backstop · NOLOGIN role + GRANT per tenant
- 01Schema-per-tenantPhysical separation at the DB layer — not a shared table
01
Physically separate
A breach of one compartment cannot reach another — there is no shared row surface to leak across.
02
Cryptographically bound
Each tenant's data is envelope-encrypted under its own key, with the tenant id as additional authenticated data.
03
Machine-checkable
verify_isolation runs live fault-injection probes and returns an Ed25519-signed attestation. Don't trust us — re-run it.
Honest ceiling
OWASP ranks separate databases above schema-per-tenant. Our answer is FORCE RLS + per-tenant crypto + the attestation — not a claim that we are unbeatable.