Financial data, held to professional standards.

Every request in Coherence carries the signed‑in user's active tenant context in its authentication token. Every database query is scoped to that tenant. A user authenticated into one organization cannot read, write, or enumerate data belonging to another organization through any user interface, API endpoint, or background process. This is enforced at the application layer on every request — not derived from the session, not inferred from a URL, not trusted to the client.

The unique constraint on member records ensures that the same email address in two different organizations represents two distinct identities, each with its own permissions, audit trail, and data boundary. Switching between organizations — for users who legitimately belong to more than one — requires a full re‑authentication; tokens scoped to one organization cannot be used to access another.

This design gives portfolio parents the visibility they need for consolidation without asking portfolio companies to surrender control of their books. It is the only path by which any data moves between tenants, and it is designed so that the data owner remains in control throughout.

Coherence does not have a password database. Sign‑in is available only through Microsoft Entra ID (formerly Azure AD) or Google Workspace. There is no username‑and‑password form, no local account creation, and no alternate authentication path.

This is a deliberate architectural decision, not a limitation. It means the multi‑factor authentication, conditional access, device trust, and session‑lifetime policies you have configured in your own identity provider apply automatically to Coherence. Sign‑in events — successful and failed — are visible in your IdP's audit log, where your IT and security teams already look. When an employee leaves and is disabled in your directory, their access to Coherence is revoked in real time, with no dependency on a Coherence admin workflow.

Session tokens

Short‑lived access tokens (15 minutes) are held in memory only — never written to browser storage where they could be read by malicious scripts. Refresh tokens (8 hours) are transmitted only in HttpOnly, Secure, SameSite cookies.

Rotation & revocation

Tokens rotate on every refresh. Tokens can be revoked per‑user or per‑session by administrators. Suspicious sign‑in patterns surface in the identity provider and can trigger immediate session termination.

Idle timeout

Sessions time out after 30 minutes of inactivity, and after 10 minutes for sensitive areas such as banking, payment runs, and user‑permission management. Warning modals give users an opportunity to extend before logout.

Rate limiting

Authentication endpoints are rate‑limited to 20 requests per minute; global traffic is limited to 100 requests per minute per client IP. Rate‑limit violations are logged and retained for security review.

Granular permissions

Within a tenant, role and resource permissions are configured per user — typically read, contribute, edit, admin, or none on each resource — with facility‑level and division‑level restrictions applied independently.

Coherence encrypts data in transit end‑to‑end and applies an additional layer of application‑level encryption to sensitive financial fields — separate from, and in addition to, the encryption provided by the underlying database.

In transit

TLS is enforced between your browser and Coherence; between Coherence's edge (Cloudflare) and the application; and between the application and its database. The database connection specifically uses full certificate verification — validating both the certificate chain and the hostname, not merely encrypting the channel.

Database encryption at rest

The production database is encrypted at rest by the managed database service, using industry‑standard algorithms and keys managed by the infrastructure provider.

Application‑layer field encryption

Sensitive financial fields — bank account details, vendor ACH credentials, and customer‑sensitive tokens — are additionally encrypted at the application layer with AES symmetric encryption before being written to the database. Two independent key pairs are used: one for general application secrets and a second, dedicated pair for customer‑sensitive values, allowing each to be rotated separately.

Key management

All cryptographic keys, database credentials, OAuth client secrets, and service credentials are stored in Azure Key Vault. Nothing sensitive is stored in source control, environment files, or application configuration.

File storage

Uploaded documents, logos, and period‑report files are stored in Azure Blob Storage with locally‑ and geographically‑redundant storage (LRS and GRS) and encrypted at rest by the storage service.

All traffic to Coherence — both the application frontend and the API — passes through Cloudflare before reaching Azure. This provides DDoS mitigation, TLS termination with modern cipher suites managed centrally, and a Web Application Firewall.

Coherence has enabled Cloudflare's managed ruleset (machine‑learning‑powered detection of zero‑day web exploits and current attack patterns) alongside the OWASP Core Ruleset, which blocks common web application attacks including SQL injection, cross‑site scripting, and other OWASP Top 10 threats. Requests identified as malicious are blocked at the edge and never reach the application layer.

DDoS protection, bot filtering, and IP reputation scoring are applied at the edge, meaning the application and database are insulated from the large‑volume low‑quality traffic that typically accompanies attacks on public‑facing services.

Coherence runs on Microsoft Azure. The application database is a managed distributed SQL cluster operated by its vendor, with automatic three‑way replication built in at the database layer and a published uptime SLA of 99.99%.

Runtime protection

The application is protected by Microsoft Defender for App Services for runtime threat detection and by Microsoft Defender Cloud Security Posture Management (Defender CSPM) for continuous configuration‑drift monitoring across the Azure environment.

Telemetry & logging

Application Insights collects request telemetry, exception traces, and structured logs from every environment. Exception and request telemetry are explicitly excluded from adaptive sampling — every failure is recorded, even under load.

Segregation of duties

Production environment access is restricted to named operations personnel. Developers do not have direct access to production databases or production secrets; production deployments are gated and audited.

Managed backups of the production database are taken automatically every hour and retained for 30 days, providing a one‑hour recovery point objective and a 30‑day restore window.

Backups are encrypted, stored by the managed database provider in cloud storage independent of the production cluster, and include both full and incremental snapshots. Restore procedures are documented and exercisable directly from the database provider's administrative console.

File storage (uploaded documents, logos, period reports) uses Azure Blob Storage with locally‑ and geographically‑redundant storage, providing durability against hardware failure and regional outage.

The backup configuration is reviewed and can be tightened — to a more frequent backup cadence or longer retention — as customer requirements evolve.

Coherence treats financial records as append‑only by design. Posted transactions cannot be edited or deleted — corrections are made by posting offsetting or reversing entries, so the complete history of every change is preserved for audit. This is the standard that external auditors, lenders, and acquirers expect, and it is what makes the Coherence general ledger defensible under review.

The only records in Coherence that can be hard‑deleted are vendor ACH bank‑account details, which can be purged independently of the payment history they were used to generate — meaning sensitive bank credentials can be removed from storage without erasing the financial record of the payments made with them.

Row‑level attribution

Every business‑domain record carries the authenticated user and timestamp of its creation and its most recent modification.

Application audit logs

Security‑sensitive actions — authentication events, permission changes, payment run finalization, period‑close actions, portfolio share grants and revocations — are written to dedicated audit services for administrative review.

Infrastructure logs

Request, exception, and platform telemetry is retained in Application Insights with Azure's standard retention; Defender alerts are retained in the Defender portal.

Coherence is not currently SOC 2 certified. We will evaluate formal SOC 2 certification as customer demand requires. What matters more than the attestation itself is whether a platform operates the underlying control set — and we do.

We operate the controls expected of a B2B financial platform: enterprise SSO with no local password database, granular per‑tenant permissions, two‑layer encryption with secrets in Azure Key Vault, managed backups with a one‑hour recovery point objective, append‑only financial records, Cloudflare WAF at the edge, Microsoft Defender monitoring the runtime and configuration, and continuous telemetry with un‑sampled exception capture.

A detailed security questionnaire response (CAIQ‑Lite format) is available under NDA. Prospective customers conducting vendor diligence should contact [email protected] to request it along with our current Data Processing Addendum.

Coherence maintains a documented incident response process with a named owner, defined severity tiers, and a customer‑notification commitment.

Detection

Security‑relevant signals — authentication failures, rate‑limit rejections, Cloudflare WAF blocks, Microsoft Defender alerts, Application Insights exception‑rate anomalies, and database‑provider alerts — are aggregated and routed to an on‑call engineer via PagerDuty.

Response ownership

A single named incident response owner holds responsibility for triage, response, and communication during any security incident, with documented escalation paths and after‑hours coverage through the PagerDuty rotation.

Customer notification

Coherence commits to notifying affected customers of any confirmed security incident involving their data promptly and directly — with a description of what happened, what data was involved, what actions we took, and what actions we recommend. Notification is delivered by email to the designated security contact for each affected tenant, with follow‑up through in‑application notice. Specific notification timelines are defined in customer data processing agreements.

Subprocessor incidents

When a subprocessor — Microsoft, Google, Cloudflare, Cockroach Labs, Postmark, Stripe, or Anthropic — issues a security notification that affects Coherence customer data, we evaluate the impact and forward the relevant information to affected customers under the same notification commitment.

Post‑incident review

Every confirmed security incident is followed by a written postmortem covering root cause, remediation, and preventive measures. Summaries are shared with materially affected customers.

Security concerns, vulnerability disclosures, and incident reports can be sent to [email protected].

Coherence uses a small set of established infrastructure and service providers to deliver the platform. Each subprocessor is bound by a data‑protection agreement with Coherence and is selected for its own security posture.

Anthropic scope note. Coherence uses the Anthropic API for a single, narrowly‑scoped function: suggesting sales‑tax classifications when a tenant creates a new inventory item or service item. Only the item's name and description cross the boundary. Suggestions are advisory and a tenant admin accepts or overrides each one. Coherence does not operate an autonomous AI agent against customer data, and no customer application data is hosted with Anthropic — your data remains in Coherence infrastructure at all times.

Customers are notified by email prior to any addition of a new subprocessor that handles customer data.