TurboFinOpsTurboFinOps
Docs/Security Model

Trust

Security and Isolation Model

Security controls are built into every savings workflow: identity, tenancy, secret handling and immutable proof trails.

Security & Trust page

Identity and access

  • Supabase authentication with organization claim resolution.
  • Server-side role enforcement for every protected route.
  • Settings support for SSO/SAML onboarding paths.

Tenant isolation

  • Every query is scoped by organizationId.
  • Dashboard proxy endpoints enforce tenant context.
  • Organization-scoped access checks guard API operations.

Secrets and key management

  • Credential encryption at rest.
  • Rotation workflows and posture telemetry.
  • Fail-closed guardrails where configured.

Savings proof controls

  • Immutable events for every state-changing savings action.
  • Receipt evidence includes provenance metadata and checkpoints.
  • Actions and approvals remain attributable to actor and role.

Request security flow

01

Authenticate

Supabase session is read server-side and user identity is resolved before dashboard data loads.

02

Resolve organization

The request is matched to the active organization and membership is validated.

03

Authorize role

The server checks whether the user role can access the requested domain or action.

04

Scope data

Database reads and writes include organizationId so tenant data cannot bleed across accounts.

05

Audit mutation

State-changing operations emit an audit event with actor, timestamp, result and correlation metadata.

Architecture layers

TurboFinOps separates concerns across five layers so that customer data, credentials and state-changing operations each cross a clearly enforced boundary. Each layer carries its own guarantees and failure modes.

  1. 01 · Edge and identity

    Trust boundary 1 — public internet

    • TLS 1.2+ termination with HSTS
    • Supabase Auth (OAuth, SAML SSO, SCIM)
    • Helmet-applied CSP, X-Frame-Options, Referrer-Policy
    • Per-tenant rate limiting (Throttler)

    Boundary: Only authenticated, organization-scoped requests cross this boundary into the control plane.

  2. 02 · Control plane

    NestJS API — authoritative for permissions and policy

    • Tenant middleware resolving organizationId on every request
    • Server-side RBAC guards on every controller
    • Action engine with conflict guard and approval workflow
    • Audit logging on every state-changing operation

    Boundary: No long-running cloud calls run here. The control plane only enqueues work and reads results.

  3. 03 · Execution plane

    BullMQ workers — scanners, pricing, actions

    • Cloud scanner adapters (AWS, Azure, GCP) running with tenant credentials
    • Pricing service refresh jobs
    • Action execution processor (out-of-band from HTTP)
    • Notification dispatcher with decryption verification before sending webhooks

    Boundary: Workers operate on jobs already validated by the control plane. Cloud credentials are decrypted only inside the worker process.

  4. 04 · Data plane

    PostgreSQL + KMS + immutable audit

    • PostgreSQL (Supabase) — tenant-scoped rows; queries always include organizationId
    • Redis (Aiven, TLS) — ephemeral queue only
    • KMS-protected secrets — AES-256 envelope encryption for cloud and AI credentials
    • Immutable AuditLog table with sanitized metadata

    Boundary: No process other than the API and authorized workers can reach the data plane. Backups encrypted with the same KMS hierarchy.

  5. 05 · Governance

    Cross-cutting controls

    • Continuous tenant-isolation regression suite in CI
    • Dependency audit gates on production builds
    • Coordinated vulnerability disclosure (/security/vulnerability-disclosure)
    • Incident response with ≤ 72 h customer notification (/security/incident-response)

    Boundary: Governance controls apply to all layers above. Bypass of any control is itself an auditable event.

Operating controls

Least privilege cloud access

Start with read-only discovery credentials and add write permissions only for approved action types.

Secret rotation

Rotate provider credentials through connection workflows and verify scan health after rotation.

Exception review

Suppressed findings and action overrides should include a reason and be reviewed during audit cycles.

Break-glass discipline

Manual overrides should be time-bounded, assigned to an Admin and backed by audit evidence.

Get started

Find recoverable spend before the next invoice lands.

Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.

Read-only scan first. Approval gates before remediation.
Connect a cloud scopeSee pricing