Security

Fail closed, minimize data, preserve evidence

TerritoryLogic is designed to make an unsafe ownership write harder than a safe skip. This page distinguishes implemented controls from assurance work that is still incomplete.

Last reviewed July 15, 2026 · Early-access documentation

Identity and access

  • HubSpot OAuth is the only public installation and sign-in identity path; there is no TerritoryLogic password database.
  • Hosted sessions are opaque, secure, HttpOnly, portal-bound, and time-limited. HubSpot launch codes are single-use and short-lived.
  • Account Owner, Admin/Publisher, Editor, Viewer, and Card-only roles are scoped to one HubSpot portal.
  • Mutating console requests require the portal session, role authorization, CSRF protection, and operation-specific concurrency or idempotency evidence.

Tenant and secret isolation

  • The HubSpot portal ID is the tenant key. PostgreSQL row-level security is forced under the application database role.
  • OAuth access and refresh tokens are stored as encrypted envelopes and accessed through a private token-vault boundary.
  • Public and destructive maintenance database access use separate least-privilege roles and separate Cloudflare Hyperdrive connections.
  • Uninstall work is generation-bound so a stale event cannot intentionally target a later installation.

Data minimization

  • The current public program reads HubSpot companies, schemas, and owners only.
  • Routing snapshots retain normalized U.S. country/ZIP5, current owner, opaque record identity, bounded source/validity evidence, and only configured allowlisted facts.
  • Raw street addresses and malformed ZIP input are not retained for current routing. The service does not geocode addresses.
  • Privacy webhook subjects are replaced with tenant-scoped cryptographic fingerprints before maintenance persistence or queue delivery.

Write safety

  • Simulation is bound to an immutable draft and company snapshot and never writes HubSpot.
  • Production owner writes require a runtime mode, exact portal allowlist, current write scope, publisher authorization, and a current publication preview.
  • HubSpot is re-read before a possible write. Changed, locked, invalid, plan-limited, outside-territory, or otherwise unsafe records are preserved.
  • Guarded rollback restores only TerritoryLogic's still-current latest successful value; later human or integration changes are skipped.

Infrastructure

The current service runs on Cloudflare Workers and related Cloudflare services, with PostgreSQL 17/PostGIS hosted by Neon. HubSpot remains the connected CRM. See Subprocessors for the current and inactive vendor list.

Outstanding assurance work

  • Independent security assessment and complete public vulnerability-disclosure process.
  • Contractual backup-retention maximum, recovery objectives, and service-level commitments.
  • Full production alerting/status automation and large-portal chaos/load evidence.
  • Real-portal validation of all Journal, privacy, uninstall, and recovery races across multiple unaffiliated portals.

Report a security concern

Use the support path and put “Security” in the subject. Include the affected URL, approximate time/time zone, and a minimal reproduction. Do not send tokens, credentials, exploit customer data, or access data beyond what is necessary to describe the issue.