Security
Key custody (AWS KMS)
When an area is created, the system generates the Stellar key pair and encrypts the private key in KMS. Only the backend can request decryption to sign transactions. Each signing request is logged in KMS audit logs. Private keys never appear in logs, the database, or code. A Supabase breach does not expose private keys.
Privacy by design
Sensitive data (beneficiaries, contracts, documents) stays off-chain in Supabase. On-chain only: transaction hash + amount + internal payment ID in the MEMO field. Attached receipts are stored in Supabase Storage — only their SHA-256 hash goes to Supabase, not the document content on-chain. The donor can verify document integrity without seeing its contents.
Append-only model
Recorded payments cannot be modified — only new records are added. Errors are corrected with new entries, never by deleting history. This guarantees non-repudiation and verifiable temporal integrity.
Multi-tenant isolation
- Row Level Security (RLS) in Supabase ensures every database query is automatically filtered by foundation
- Independent Stellar wallets per foundation
- Middleware validates the user's JWT token before any operation
- No user can access another foundation's data through any route or endpoint