DashboardSupportWelcome

👤 USER DOCS

Getting Started

Daily Operations

Shift Workspace & TasksPre-Shift SetupLine-Up CardsShift ReportsForms

Staff & Locations

Staff SchedulingManaging Locations

Oversight

Manager ReportsAnalyticsPre-Shift & Compliance

Incidents & Feedback

Incident ReportingAnonymous FeedbackMessages & Announcements

AI & Settings

AI ChatgearApp Settings

Administration

Dashboard & OnboardingAdmin

⚙️ DEVELOPER DOCS

Getting Started

Getting StartedDevelopmentDeployment Guide

Architecture

Architecture OverviewData FlowArchitecture Decision Records

Core Domain

Core DomainDatabase ReferenceLocations DomainAuth & RBACScheduling DomainReports DomainIncidents DomainNotifications DomainAudit Log & OptimizationDesign Audit Findings

Frontend

Frontend ArchitectureFormsLoading SkeletonsComponentsPWA & NotificationsimageScreenshots

API Reference

API Reference

Endpoints

POS Sales APIOptimization Data APISchedule Shifts APIEmployee Export APIReports APIIncidents APIAI Chat APIPush Notifications APIWebhooks APICron API

Contributing

ContributingcodeCode Examples

Security

Security & Compliance
Danvas IconDanvas
Danvas IconDanvas

Security & Compliance

Technical design of authentication, authorization, and data protection

Overview

Danvas employs a multi-layered security strategy to protect sensitive operational data. This includes robust identity management via Clerk, strict multi-tenant isolation, automated rate limiting, and comprehensive audit trails.

Authentication & Identity

Clerk Integration

We leverage Clerk for all authentication and session management.

  • Teams: Mapped to Clerk Organizations.
  • Roles: Enforced through Clerk publicMetadata and synchronized to our local users table.
  • Provisioning: Automated via provisionUser() on first sign-in and kept in sync via webhooks.

Auth Guards

All data access is guarded by server-side checks.

import

Code Examples

Code patterns used in Danvas development

On this page

OverviewAuthentication & IdentityClerk IntegrationAuth GuardsData IsolationAPI & Network SecurityRate LimitingSecurity HeadersData ProtectionEncryption at RestAudit TrailRelated
{ requireAdmin }
from
"@repo/auth/get-user-auth"
;
export async function secureAction() {
const auth = await requireAdmin(); // Ensures user is authenticated and has admin role
}

Data Isolation

Danvas is a multi-tenant platform. Data isolation is enforced at the database query level using the teamId (Clerk Organization ID).

  • Multi-tenancy: Every row in the database (except global configuration) contains a teamId.
  • Query Scoping: All Drizzle queries MUST include a filter for the active team.
  • Location Isolation: Operational data (reports, shifts, incidents) is further isolated by locationId.

API & Network Security

Rate Limiting

We use Upstash Redis to implement sliding-window rate limiting on critical endpoints.

  • AI Chat: 20 requests per minute per user.
  • Public APIs: 10 requests per minute per IP.
  • Fallback: System falls back to in-memory limiting if Redis is unreachable.

Security Headers

All HTTP responses include security-hardening headers via Nosecone:

  • CSP: Restricts content sources to trusted domains.
  • HSTS: Enforces secure connections over HTTPS.
  • X-Frame-Options: Prevents clickjacking attacks.

Data Protection

Encryption at Rest

Sensitive information, such as Matrix access tokens and Slack bot secrets, is encrypted using AES-256-GCM before being stored in the database.

Audit Trail

The audit_log table captures all administrative and sensitive actions, including:

  • User role changes.
  • Incident escalations.
  • Form definition updates.
  • Security configuration changes.

Related

Auth & RBAC Domain

API Security

Database Schema