Security

Pore holds the keys to your authorization graph. We treat that responsibility seriously. This page summarizes what we do today and what we are working on. For the detailed threat model, see the security docs.

Tenant isolation

Every row in every domain table has tenant_id as the leading composite-index column. There is no ambient tenant context in the code — a misconfigured query cannot accidentally span tenants. Cross-tenant reads require an explicit admin path.

Encryption

All traffic is TLS 1.3. At rest, tenant data is encrypted using provider-managed keys. Enterprise customers can bring their own keys (BYOK) on request.

API keys

Keys are hashed with a memory-hard KDF before storage. Only the prefix is recoverable for display. Rotating a key takes effect within seconds across every region.

Audit

Every authorization check, grant, and revocation is written to an append-only audit log. Logs are partitioned per tenant and exportable via the API.

Compliance

SOC 2 Type I audit in progress. Type II targeted for late 2026. GDPR and DPA templates available on request.

Vulnerability disclosure

Report security issues to security@pore.dev. We respond within one business day and credit reporters in our changelog.