Security model

Permissions you can trust.

Built on a deny-by-default data layer. Hidden in the UI is not enough — Halo enforces access at the database, the storage layer, and the viewer.

Deny-by-default RLS

Every table enforces row-level security. UI never alone gates access.

Granular permissions

Per-room, per-folder, per-document, per-user and per-team rules.

Signed-URL viewer

Documents stream from private storage with short-lived signed URLs.

Watermarking

Viewer-side watermark with viewer email, timestamp and IP.

View-only by default

Download is a separately granted permission, logged on use.

Append-only audit log

Every meaningful action recorded. Exportable for compliance.