Security & trust

Built audit-first. Not bolted on later.

The deep version of how Gravity protects your knowledge: what every action records, why a published version cannot be silently changed, and why we never run your code. Written for the person doing the review.

Talk to security See the enterprise overview

SSO & SAML · tenant-editable RBAC · append-only audit with cold-storage retention · immutable, content-addressed versions.

Security posture By design

Invariants, not settings

Three properties hold for every tenant, every time. They are how the platform is built — there is no switch to turn them off.

Every action is written to an append-only log
Every published version is content-addressed
Your code is read, never executed

Logical multi-tenancy with strong controls — organisation-scoped from the database up.

The controls, in detail

What your reviewer can verify

Each control below maps to a row a security questionnaire actually asks about — stated as how the platform is built, not what it might do.

SSO & SAML

Authentication is delegated to the identity provider you already run, so your existing MFA, conditional-access and lifecycle policies govern Gravity too.

SAML 2.0 / OIDC · MFA enforced at your IdP

Tenant-editable RBAC

Roles are data, not code. Clone a baseline, reshape it to your org and scope it to only the modules a team is licensed for — no deploy, no ticket to us.

Read · Write · Review · Publish · Admin · per-module scope

Append-only audit log

Every action is written to an immutable log with actor, action, resource, result and timestamp. Entries cannot be edited or removed — only read and exported.

Immutable · queryable · CSV export for auditors

Cold-storage retention

The audit trail is rotated to durable cold storage on a fixed cadence and retained for years, so the record outlives any single incident or staff change.

Scheduled rotation · multi-year retention

Immutable, content-addressed versions

A published version is addressed by the hash of its content. The same address always returns the same bytes — what your readers see is exactly what was approved.

Content-addressed · signed · tamper-evident

PII masking

Where the runner captures screenshots or payloads to document a system, sensitive values are masked before anything is stored — observation without exposure.

Masked at capture · before storage

Tenant export & deletion

Your content is always yours to take with you. Clean export and verifiable deletion paths cover offboarding and right-to-be-forgotten requests.

Full export · verifiable deletion

Strong tenant isolation

Every record is organisation-scoped from the database up. Platform-admin support access is itself scoped and written to your own audit trail.

Org-scoped storage · audited support access

SOC 2 posture

Audit-first by design with logical multi-tenancy and strong controls. We will share our current posture and timeline with your team under NDA.

SOC 2 in progress · shared under NDA

The audit log, up close

Every action, attributable and kept

Not a summary feed — the record. Every entry carries the same five columns, and denied actions are logged exactly like allowed ones.

Audit log · liveappend-only

ActorActionResourceResultTime

a.okafor@acme.comversion.publishauth/login.mdx @ b3f1c9published14:02:11

Illustrative entries. The real log is queryable by actor, action, resource and date range, with one-click CSV export for your auditors.

What every entry records

One shape for every event, so an investigation never depends on which feature produced the entry.

actor: The authenticated user, service or IdP that initiated it
action: The exact operation, e.g. version.publish
resource: What it touched — with the content hash where relevant
result: allowed · recorded · published · denied — failures included
timestamp: Server time, immutable once written

Why it is safe

Your code stays yours — and publish is the line.

Follow a change from the credential we read under to the moment it becomes a record your customers can rely on. Nothing here is a setting you switch on; it is the path every change takes.

Scoped, revocable access
Least privilege
Gravity reads your source under a least-privilege credential you grant and can revoke at any moment. Access ends the instant you say so — there is no standing key.
We never run your code
Static analysis only
Documentation is generated from static analysis. Your code is read, never executed, so there is no runtime path from Gravity into your systems.
Drafting stays private
Private until approved
Authoring and review happen off the record your customers see. Nothing a draft contains is public, and nothing public changes until publish.
Publish is the audit boundary
Content-addressed · signed
On publish, the approved change becomes a content-addressed, signed version. The same address always returns the same bytes — the line a reviewer can trust.
No silent edits
Notified · immutable
Every reader who depends on the page is notified of exactly what changed. A published version cannot be altered in place — only superseded, on the record.

See how it fits your rollout

Sealing a version

gravity — publish

$gravity publish auth/login.mdx

Least privilege — Gravity reads your source under a least-privilege credential you grant and can revoke at any moment. Access ends the instant you say so — there is no standing key.

The version hash b3f1c9a4 is derived from the content itself. Anyone can later confirm the bytes served still match it — tamper-evidence, not a promise.

The posture, in numbers

Substance over adjectives

The claims on this page, restated as figures a reviewer can quote.

0: bit content hash sealing every published version
0: columns on every audit entry, no matter the action
0: lines of your code Gravity ever executes
0%: of actions written to an append-only log

For your security review

What you can request

Built for the questionnaire, not just the demo. Ask, and we will share the artefacts your team signs off against.

SOC 2 posture & timeline

Our current control posture and certification timeline, shared with your team under NDA.

DPA, ready to sign

A standard data-processing agreement covering how your content is handled, stored and deleted.

Subprocessor list

Exactly which parties touch your data, kept current so your review never goes stale.

Security whitepaper

The architecture behind tenant isolation, the audit log and content-addressed publishing, in writing.

Export & deletion paths

Clean, verifiable export and deletion for offboarding and right-to-be-forgotten requests.

Your questionnaire, answered

Send your standard security questionnaire and we will return it completed against the controls above.

Compliance data-room

Product screenshot to drop in: the compliance data-room — download the DPA, subprocessor list and SOC 2 letter, and track which artefacts your reviewer has acknowledged.

Request the artefacts

Append-only: Every action logged and kept
Content-addressed: Published versions you can verify
Never run: Your code is read, not executed
Yours: Export or delete your data anytime

Send us your security questionnaire.

We will walk your team through these controls, share our SOC 2 posture under NDA, and sign a DPA.

Talk to security Read the enterprise overview