Your data, your region, your cloud — under your control.

Route document uploads to your own Google Drive, OneDrive, SharePoint, or Dropbox. Tenants upload directly to your provider — Terraa stores only a file reference and hash. For customers who want Terraa in the loop for AI and workflow automation, Connected BYO holds a narrow-scope OAuth token scoped to a dedicated folder you name.

• ✓Link-only posture — zero tokens held by Terraa, zero bytes in Terraa storage.
• ✓Connected OAuth posture — narrow-scope token, dedicated folder, revocable any time.
• ✓Audit-integrity artefacts (signed contracts, evidence bundles, raw email payloads, tenant exports) always stay in Terraa-managed storage regardless of BYO configuration.
• ✓You own the bytes. Disconnect and every file stays exactly where it already is — in your drive.

Pick the region your structured data lives in. Terraa deploys against regional database clusters so your lease, tenant, payment, and maintenance records stay within your chosen jurisdiction — meeting local data protection laws without carving out a custom tenant.

• ✓UAE / GCC — primary region with a planned path to self-hosted me-south-1 for full UAE PDPL and DIFC DP Law compliance.
• ✓EU / UK — regional clusters aligned with GDPR and UK GDPR data transfer rules.
• ✓APAC — Singapore and Mumbai regional clusters serving India, ASEAN, and HK portfolios.
• ✓Americas — US and Canadian clusters with US state-level residency options for regulated customers.

AES-256 encryption at rest on every backing store. TLS 1.3 on every request. API keys and provider credentials encrypted with per-tenant keys. Sensitive fields (IDs, bank details, passport numbers) tokenised at the data layer with role-gated reveal.

• ✓Server-side AES-256-GCM on databases and object storage.
• ✓TLS 1.3 enforced on every public and internal endpoint.
• ✓Provider API keys encrypted with per-tenant envelope keys, decrypted only server-side.
• ✓No secret ever returned to the client — masked views only.

Every table in Terraa enforces Row-Level Security at the database layer. A PM user cannot physically read another operator's records — even through a misconfigured API call. Six automated invariant tests in CI prevent regressions.

• ✓RLS policies on every table, enforced by the database before data reaches application code.
• ✓Six static-analysis ratchets in CI — provider scope, scoped-data helper, bypass audit, agent scoping, intelligence/reports scoping, API body validation.
• ✓Every client-scoped query checked against the authenticated client_id — wrong scope returns empty, not forbidden.
• ✓Agent code paths use a dedicated scoped-data helper so AI tool calls cannot escape their client scope.

No public document URLs, ever. Every upload and every download happens through a short-lived signed token — generated only after access rights are re-verified at the API boundary. Revoked the moment access rights change.

• ✓Upload tokens expire after 5 minutes.
• ✓Download tokens expire after 15 minutes.
• ✓Entity access (document, conversation attachment, work order) is re-checked before every token is issued.
• ✓File-type allowlist and size caps per category (leases PDF only, photos capped at 50MB).

Session management through NextAuth with optional TOTP MFA. Every privileged action writes a signed audit record. Account lockout on repeated failures. Session invalidation on password change or role change.

• ✓Optional TOTP multi-factor authentication with recovery codes.
• ✓Full audit trail: login, privileged action, data export, role change, permission grant.
• ✓Account lockout, rate limiting, CSRF protection, session invalidation on privilege change.
• ✓Sixteen roles across five layers (platform, services, PM, client, actor) — least-privilege by design.