/Security
The audit trail is the workflow. The workflow is the audit trail.
Security and compliance aren't an enterprise add-on at Partnr, they're how the platform is built. Multi-tenant isolation, token-based file access, and field-level audit logging are on by default.
The plain-English version.
Hosting and infrastructure
The Partnr platform runs on Microsoft Azure. The web application is deployed via Vercel. Both providers offer enterprise-grade physical and network security, including DDoS protection, isolated tenancy, and ISO 27001 certified facilities.
Data isolation
Every record in Partnr is scoped to an organisation. Database queries filter by organisationId at the data layer, no cross-tenant data exposure is possible through the API. Soft-delete preserves history without exposing deleted records to active workflows.
Authentication
Sign-in is supported via email/password (OTP-confirmed), Google OAuth 2.0, and Microsoft Azure AD. JWT access tokens are paired with refresh tokens stored in HTTP-only secure cookies. Vendor and client portal links use time-limited tokens with no naked URLs.
Authorisation
Organisation-based access control with configurable roles. New members can be configured to auto-join (matching email domain) or require admin approval. Role assignments control which capabilities a user can exercise within their organisation.
File storage
Uploaded documents are stored in Azure Blob Storage with unique paths per organisation. Preview and download URLs are token-based and time-limited, no permanent public links. Each document has an access-control flag (vendor-accessible, client-accessible, or internal).
Audit trail
Every create, update, and delete on monitored entities is logged with user ID, organisation, timestamp, IP address, user agent, and field-level deltas on updates. Audit logs are queryable by entity, user, or action type. Soft-delete preserves the full record history.
Data export and deletion
Customers retain full ownership of their data. On request we will export your organisation's data in a structured format, or permanently delete it. Soft-deleted records can be restored on request during the data retention period.
Compliance enquiries
For security reviews, data processing agreements, or compliance questionnaires, contact security@partnr.example. We respond within two business days.
Security questions before you sign up?
Email security@partnr.example, we'll get back to you within two business days.