Security
Hardened. By default.
MFA. Role-based access. Your data in its own database. Append-only audit on every action. Same shape for every customer — no enterprise-only safety net you pay extra to unlock.
Multi-factor auth
TOTP and hardware keys for every user.
Time-based one-time passwords for everyday MFA. WebAuthn-based security keys for users that need stronger guarantees. Both options are available to every user; admins can require MFA per role.
- TOTP via any standards-compliant authenticator app
- WebAuthn / FIDO2 hardware keys
- Per-role MFA enforcement
Role-based access
Roles, scopes, and per-user overrides.
Permissions are object-based (resource + action). Roles bundle permissions; scopes constrain access by territory or location; per-user overrides handle the exceptions. Super-admin bypass is itself audited.
- Resource + action permission model
- Territory and location scoping on every role
- Per-user grants and revokes, with audit
Audit log
Two tiers. Every action.
Every business record carries created-by and updated-by metadata. A separate append-only log captures every read, write, and delete across the system — with user, role, IP address, user agent, and timestamp. The records auditors ask for already exist.
- Per-record actor metadata on every business object
- Append-only system-wide log captured automatically
- Filterable by user, role, action, resource, and time window
Your data, alone
Your data lives in your own database.
Wyatt is multi-tenant by isolation, not by shared row. Every customer’s records — customers, products, orders, ledger, audit log — live in a database scoped to that customer, with no cross-tenant access path. A query in your tenant cannot reach another tenant’s data because the data isn’t in the same place to begin with.
- Per-tenant data isolation, not row-level segregation
- Invitation-based onboarding with single-use, time-boxed tokens
- Passwords stored salted and hashed; never logged, never in the clear