← Back to Corpograph
Security & Trust

Built for regulated organisations.

Corpograph is designed around one principle: your ownership and governance data stays controlled — isolated, role-guarded and fully traceable. This page summarises the security model for IT security, procurement and audit teams.

Customer isolation

No shared multi-tenant data store. Every customer runs in a dedicated environment.

  • Own database and own document storage per customer
  • Own domains (e.g. yourco.corpograph.com + API domain)
  • Own identity configuration, backup scope and monitoring scope
  • Module selection per environment (Shareholdings / Boards / Banking)

Identity & access

Enterprise SSO first; a controlled bridge while your IT integration is pending.

  • Microsoft Entra ID via OIDC — token issuer, audience and signature verified
  • Roles from Entra app roles / groups, or managed in-app
  • Invitation-only managed accounts with mandatory MFA (no open registration)
  • Session policy: re-authentication after idle and absolute lifetime

Authorisation & roles

Three roles — Viewer, Editor, Admin — enforced where it counts.

  • Backend-enforced permissions on every API request, not just hidden buttons
  • Viewer cannot change data; Admin-only configuration and user management
  • Role changes take effect immediately on the next request

Auditability

Nothing changes without a record.

  • Audit trail with actor, timestamp and before/after values per change
  • Per-entity change history plus a searchable full audit log
  • Login, invite and role-change events are audited

Data & hosting

Deployment follows your requirements — from cloud pilot to self-hosted.

  • PostgreSQL as the system of record; controlled document storage
  • HTTPS/TLS everywhere; secrets outside source code (env / Key Vault)
  • Cloud pilot today; Azure (Container Apps, Blob, Key Vault) as enterprise path
  • Self-hosted / customer-cloud package available for corporate IT

Operations & engagement

Professional operating controls before real customer data.

  • Managed database backups; restore approach defined per environment
  • Health checks, provider logs and monitoring per environment
  • DPA / AVV readiness and defined support-access process
  • Excel/CSV + SVG export at any time — no lock-in of your data

Demo environments run with sample data and controlled access. Production use of real customer data is gated on the completion of environment-specific controls — DPA, object storage, backup/restore testing and monitoring — as part of onboarding.

Talk to us about your requirements