Security
Last updated: 2026-07-09
Security is foundational to Stack Method. Below are the controls that are actually implemented in the platform today — we describe only what we do.
Tenant isolation (row-level security)
Stack Method is multi-tenant, and every organization’s data is fenced by PostgreSQL row-level security (RLS). The application’s runtime database role is not permitted to bypass RLS, and every request runs bound to the acting organization, so one organization’s queries can never read or write another’s rows. Beyond org isolation, individual deals carry record-level visibility so members see only the files they’re entitled to.
Encryption in transit & at rest
All traffic is served over TLS. Data is stored in a managed PostgreSQL database with encryption at rest at the storage layer.
Least-privilege database access
The application connects with a least-privilege role that cannot bypass row-level security or act as a superuser, and whose access to sensitive columns is locked down; administrative and migration access is separated from the runtime role.
Authentication & sessions
Passwords are stored only as salted scrypt hashes — never in plaintext. Sessions use a signed, HTTP-only cookie, and access is re-verified server-side on every request. Staff/operator accounts require multi-factor authentication.
Payment security
Card payments are processed entirely by Stripe; Stack Method never sees or stores card numbers. Inbound billing webhooks are cryptographically signature-verified before they are processed.
Auditability
Sensitive platform actions and deal stage transitions are recorded to an audit trail with the actor and timestamp, so changes are attributable.
Data retention & deletion
Your organization’s data is retained for the life of your account and deleted or returned on request per your agreement. See our Privacy Policy.
Responsible disclosure
If you believe you’ve found a security issue, please email security@obsidianluxeholdingsllc.com. We appreciate responsible disclosure and will work with you to resolve valid reports.
We do not currently claim SOC 2, PCI-DSS, or third-party penetration-test certifications; this page will be updated if that changes.
Questions? Contact legal@obsidianluxeholdingsllc.com.