FU-YA
Data Security
Last updated: July 10, 2026
FU-YA is built with tenant isolation and least-privilege access as core design goals.
Access control
- JWT-based authentication with short-lived access tokens
- Role separation: Super Admin vs Company Admin
- API guards that enforce company-scoped queries
Data at rest & in transit
Database connections use TLS to Neon Postgres. Object storage (Cloudflare R2) uses encrypted transport and signed URLs for uploads/downloads. Passwords are hashed with bcrypt.
Application security
- Input validation on API boundaries
- CORS and environment-based secrets
- Principle of least privilege for service credentials
Incident response
Suspected security issues should be reported to security@fu-ya.app. We investigate and communicate material incidents to affected tenants as appropriate.