Workspace-isolated. Cryptographically signed. Auditable forever.
Manufacturers don't share data with other manufacturers. Lenders don't see other lenders' deals. Programs don't expose disbursements. RLS-enforced at the database layer. Lifecycle events are immutable. Hash signatures on every module.
Workspace isolation
Every workspace in Keystone is a hard boundary. Modules,
pools, programs, disbursements, insurance policies, and the
activity timeline are all scoped to workspace_id.
Row-level security policies enforced at the Postgres layer use
security-definer helpers (is_member(workspace_id))
to prevent any cross-tenant query. You can only see what your
workspace owns.
Module hashing
Every module gets an auto-generated hash at insert. The hash covers provenance, QA, resilience, and value attributes. Lifecycle events (state changes, inspections, transports) are immutable — once written, they cannot be edited or deleted. The audit trail is the source of truth.
Disbursement audit
Every disbursement attempt — released, denied for milestone, denied for over-budget — is captured. The audit record carries the source module, the requested milestone, the amount, the rail fee, the timestamp, and the decision. Inspector general and program funder access is granted by workspace permission.
Authentication
Email + password via Supabase Auth. (Auto-confirm in concept mode; real email confirmation will be enabled before production wide-release.) Invite allowlist controls who joins which workspace; invited emails auto-join the named workspace, and any other email gets its own isolated personal workspace.
Data residency
Hosted on Supabase, us-east-1 region. Postgres 17. Encryption at rest (Supabase default). TLS in transit. Edge Functions run isolated per request.
Privacy + tenant data
Industry-aggregated data flows into the Modular Index only de-identified — no manufacturer attribution, no project attribution. Individual workspace data is never exposed to other workspaces or to the Index without explicit consent.
Reporting + access
Workspace owners can audit every action taken in their workspace from the activity timeline. Disbursement programs can grant inspector general access scoped to their program. API tokens scoped per workspace. Coming soon: SAML SSO for enterprise workspaces.
The verified-asset rail is only as trustworthy as its weakest tenant boundary. We treat that boundary as the product's foundation.
Open the registry. Register a module.
Five minutes from signup to your first KeyScore. The same record then flows through underwriting, disbursement, insurance, and the index — without re-entering data anywhere.