Isolation
Each customer buys a named product instance. Commercial records, access metadata, and lifecycle state do not collapse into a shared tenant view.
Trust boundary
Single-tenant product instances with explicit control surfaces.
BayStore's security posture starts with separation: public marketing, customer dashboard, operator console, API, payment adapters, and runtime mutation stay behind declared boundaries.
Audit trail
Operator actions are recorded with correlation identifiers so commercial and runtime events can be reconciled.
Recovery
Failed, suspended, and deleted states remain explicit. Recovery is an operation, not an overwrite.
Controls
Current security commitments
Isolation and sandbox boundaryEach product instance is single-tenant: commercial records, access metadata, and lifecycle state are scoped to one customer. The current surface keeps checkout in a
sandbox_placeholder boundary and treats M100 as bounded non-payment evidence, not full production readiness. Production controls require separate configuration and approval.| Area | Marketing commitment | Production dependency |
|---|---|---|
| Public site | Self-hosted static assets, no third-party scripts loaded by default, optional first-party-proxied analytics after consent, and no public console link. | CDN, TLS, and cache policy at deployment. |
| Checkout | Checkout remains sandbox_placeholder; this public site does not charge cards or configure production provider billing. | Provider-approved Stripe and PayPal production configuration. |
| Authentication | M99 covers customer-owner Web signin and Harbor access boundaries. | Long-term identity provider, sessions, secrets, and authorization operating policy. |
| Runtime actions | Operator actions request runtime mutation through the API and expose bounded status evidence. | Managed Vault/KMS, managed SaaS observability/on-call, and managed backup RPO/RTO evidence. |
Control matrix
What is protected at the marketing-site layer.
| Control | Current implementation | Evidence path |
|---|---|---|
| Public/admin separation | Marketing navigation never links dashboard or console; shipped admin surfaces are marked noindex,nofollow. | Static bundle validator plus Cloudflare `_headers` checks. |
| Script boundary | Public HTML loads self-hosted scripts only; analytics loads only after consent through a first-party proxy. | CSP, self-hosted asset checks, and JavaScript sink scan. |
| Lead capture | The form posts to `/lead` and keeps a mailto fallback. It does not create a production account or payment method. | Cloudflare Pages Function smoke and contact page copy. |
| Runtime action safety | Operator actions are recorded as API events with bounded runtime mutation status evidence. | Dashboard/console disclosure and production-operation roadmap. |
Security copy is scoped to the current public surface.
BayStore does not currently claim SOC 2, ISO 27001, HIPAA, PCI DSS, or other third-party compliance certification. Any future certification or service commitment needs approved evidence before publication.