03 — Security

Access, taken seriously.

Voris was built by a security researcher, so permissions, audit, and isolation are first-class — not bolted on after the fact. Every field is scoped, every action is logged, every client lives behind its own door.

Field-level RBAC · immutable audit · isolated client portals · configurable data residency.
Diagram: a Voris identity node gates three scoped domains — Client A, Client B, and the audit log — each behind its own permission boundary. IDENTITY RBAC GATE CLIENT A CLIENT B AUDIT LOG
Access control, in depth

Permissions that reach down to the field.

Most tools gate at the page or the record. Voris gates at the field — a project manager can read a client's billing address but never the bank details, an accountant can touch invoices but never see message threads. That granularity is the default, not an enterprise upgrade.

Three guarantees

Field-level RBAC, full audit, isolated portals.

Field-level RBAC

Roles are attached to individual fields, not screens. The same record renders differently for a designer, a bookkeeper, and a client — by design, not by accident.

Full audit trail

Every read, write, login, export, and permission change is recorded to an append-only log. It exports to CSV or JSON on demand — no ticket, no waiting on support.

Isolated client portals

Each client gets a scoped session that can only ever see its own projects, files, and threads. One agency, many sealed rooms — no cross-bleed, ever.

EncryptionIn transit & at rest
Access modelRole-based per-field
Audit logImmutable, exportable
Client isolationScoped sessions
Data residencyConfigurable by region
How it works

Three moves, then it runs itself.

You set the rules once. Voris enforces them on every request after that — no per-module configuration, no spreadsheets tracking who can see what.

Step 01

Define roles

Start from a template — owner, manager, specialist, accountant, client — or name your own. Each role is a bundle of field-level permissions, not a vague "admin" flag.

Step 02

Scope every field

For each role, mark every field as read, write, or hidden. The same client record shows a bookkeeper the tax ID and a designer the brief — and neither notices the gap.

Step 03

Log everything

From that point on, every action hits the immutable audit log automatically. Export it for a compliance review, a client question, or a post-mortem — no engineering ticket required.

Responsible disclosure

We'd rather hear it from you.

Voris runs a private disclosure program. If you find a vulnerability, report it through the channel below — we triage within one business day and credit researchers who help us close gaps.

Found something? We want to know.  Report it through our security disclosure channel — triaged within one business day, credited if you want it. Open the disclosure page →
Security you don't have to think about

Security you don't have to think about.

Field-level permissions, immutable audit, and isolated client portals — wired in from the first login, not added after the breach.