Treeova's security posture is defense-in-depth. Row-level security gates every user table in the database, broker tokens are AES-256 encrypted at rest, admin access is MFA-gated, the audit log is append-only, and paper accounts are fully isolated from any live broker integration.

    Security

    Security & Data Architecture

    Treeova's security posture is defense-in-depth. Row-level security gates every user table in the database, broker tokens are AES-256 encrypted at rest, admin access is MFA-gated, the audit log is append-only, and paper accounts are fully isolated from any live broker integration.

    Quick definition

    Treeova's defense-in-depth security model: row-level security on every user table, AES-256-encrypted broker tokens, MFA-gated admin access, immutable audit log, and full paper/live isolation.

    Row-level security as the default

    Every public-schema table on Treeova has row-level security enabled and explicit policies. There is no "open by default" surface — if a policy doesn't grant access, requests fail. Even the user_roles table is read only through a security-definer function to prevent recursion-based bypasses.

    Broker credentials

    OAuth tokens and any other broker credentials are encrypted with AES-256 before they ever touch persistent storage. Decryption happens only inside server-side edge functions that have a verified user session attached — never in client-side code, never in logs.

    Admin gates and audit

    Super-admin actions go through an MFA gate enforced server-side, not just in the UI. Every privileged action writes to an immutable audit log so post-incident review is always possible.

    Go deeper

    The full technical methodology behind Security & Data Architecture is documented in the Treeova whitepaper series.

    Read the Security & Data Architecture whitepaper →

    Related terms

    ← Back to the full glossary