Five layers. One brain. Zero ad-network surveillance.
Your slab inventory, your builder pipeline, your homeowner PII, your supplier API keys, your shop-floor IoT footprint — all of it is data nobody else in this category is engineering for. GladiusStone is.
Each layer is implemented in our own code, audited at every PR, instrumented with cron health checks. No third-party security-theatre dependencies.
01
PII columns (homeowner names, phones, emails, addresses, payment intent IDs) and builder credit terms are AES-GCM encrypted at the application layer before Postgres ever sees them. Keys rotate via envelope encryption. Single-tenant Postgres available on Enterprise.
02
RFC 6238 implementation. AES-GCM wrapped secrets, bcrypt-hashed backup codes, 5-minute pending-MFA cookie for the challenge flow. Shop owners can force-enrol every seat — including the template tech in the field — via mfaRequiredByTenant.
03
66 diagnostic rules, 53 error signatures, 261 root causes, IQ 145 self-grading engine. Genetic rule evolution. Active deception inside the app. Watches every endpoint — including the QuickBooks sync surface and the public DXF engines — across all five Gladius verticals in real time.
04
Every slab, every quote, every install, every invoice carries a tenantId FK enforced in tRPC middleware before any handler runs. Single-tenant Postgres database per shop available on Enterprise. No shared-row leakage path even on a compromised handler.
05
Customers, quotes, jobs, slabs, and remnants are never hard-deleted — only flagged via deletedAt. Every state change writes an activity row. Crons are instrumented through cron_runs for retroactive forensics. OSHA, Cal/OSHA, and your insurance carrier all want this paper trail.
Moraware was written when CNC controllers weren’t online and dust monitors didn’t send telemetry. Today’s shop is a connected operation. We treat it like one.
Dust monitors, CNC controllers, slab scanners, template-tech tablets — every connected device is a potential pivot. GladiusStone runs the field PWA on signed sessions only and refuses any IoT integration that can't prove its identity to the AWAIS gate.
Your builder pipeline holds margin terms, payment history, and credit memos that those builders are not authorized to see about each other. Tenant isolation is enforced at the row level + the tRPC middleware level + the Prisma read level — three checkpoints, not one.
Cambria, Caesarstone, Silestone, your nearest quarry — every distributor account uses a different key. Keys are envelope-encrypted, scoped to a single tenant, and never logged. Rotation is one click in the shop owner's settings.
OAuth tokens live encrypted, refresh on a per-tenant clock, and the sync surface is rate-limited at our edge so a compromised key can't exfiltrate your full general ledger in one burst.
Autonomous Web Application Intelligence System. Embedded inside the app — not bolted on like a WAF. Learns attacker playbooks, plants deception, evolves its own rules, and watches all five Gladius verticals through one brain. When the auto vertical learns a new SQL-injection signature, your stone shop is hardened in under 30 seconds.
$ awais --status --verbose
iq_score ........ 145
rules_active .... 66 / 66
signatures ...... 53 / 53
patterns ........ 261 / 261
verticals ....... 5 (mesh OK)
mesh_lag ........ 11s (p95)
ready. watching all surfaces.
We publish where we’re compliant, where we’re in progress, and where the framework doesn’t apply. If you’re an auditor or an insurance underwriter, your evidence packet is ready.
Column-level PII encryption, access controls, MFA on every account, encryption-in-transit (TLS 1.3 + HSTS preload), incident response plan, vendor risk management. The FTC Safeguards rule still applies to fabricators that finance work or take card-on-file.
Silica Shield is the regulatory engine — exposure logs, fit-test records, dust-monitor telemetry, written exposure control plan generation. Cal/OSHA + federal OSHA evidence packet exports in one tap.
Trust services criteria mapped to controls. Continuous evidence collection in place. Auditor engagement targeted Q4 2026. We will publish the report under NDA on request.
Card data never touches our servers. Stripe Elements hosts the form; we receive only a tokenized reference. GladiusPay is built on Stripe Connect, out-of-scope for the full PCI envelope.
A request from a shop owner’s laptop — or a template tech’s tablet on a kitchen floor — clears all six before it touches a database row. Each checkpoint is its own audit log.
01
Request
Browser → Vercel Edge / CDN. TLS 1.3, HSTS preload, COOP, CORP. Strict CSP rejects unknown script origins. The field PWA gets the same treatment as the manager dashboard.
02
AWAIS gate
Every request screened by Defense — bot scoring, fingerprint, behavioral z-score, deception traps. Hostile traffic gets a doppler response, never the real route. The kill-chain detector flags multi-step recon before it crosses the wire.
03
Next.js Edge / Node runtime
Stateless HMAC-signed session in an httpOnly + Secure + SameSite=Lax cookie. Field-tech tablets carry a short-lived session that the manager can revoke from the dashboard.
04
tRPC middleware (tenant gate)
Session decoded, tenantId resolved, MFA verified, role checked. Every router input passes Zod validation. tenantId FK auto-stamped on every Prisma write. Locked-surface guardrail blocks the money paths from drift.
05
Prisma ORM
Parameterized queries only — no string-concat SQL anywhere in the surface. tenantId required on every read; cross-tenant queries throw at the model layer. Soft-delete enforced on customers, quotes, jobs, slabs, remnants.
06
Postgres (Supabase)
Encrypted at rest. RLS policies as defense-in-depth. Single-tenant Postgres available on Enterprise. Backups encrypted with separate KMS keys.
Moraware ships on ASP.NET WebForms architecture from 2009. Stone Profit Systems is 15+ years old. Neither was built assuming the shop floor has IoT devices, a customer portal, or a real attack surface. Here’s how GladiusStone is engineered differently.
Control
GladiusStone
Typical legacy fabrication SaaS
PII column-level encryption
AES-GCM in every PII column
Row-level disk encryption only
MFA enforcement
Tenant-wide force-enrol switch
Optional, opt-in per seat
Application-layer threat detection
AWAIS — embedded, self-learning, federated
Perimeter WAF only (if anything)
Multi-tenant isolation
tRPC middleware + Enterprise single-DB option
Shared row, app-level filter only
Silica compliance
Silica Shield engine — daily, on-event, evidence-export
Binder on a shelf
Breach disclosure SLA
72 hours, written, in contract
Silence until press inquiry
“Typical legacy fabrication SaaS” column reflects publicly documented architecture from Moraware, Stone Profit Systems, ActionFlow, SlabWare, and iCounterSoft. Where individual vendors have improved, we’ll happily update — send a pointer to security@gladiusstone.com.
These are not aspirations — they live in our MSA and they hold in court.
Email security@gladiusstone.com with a description, reproduction steps, and the impact you believe it has. We acknowledge within 24 hours, fix high-severity issues within 7 days, and pay a bounty from $250 for low-impact findings up to $10,000 for critical pre-auth RCE or multi-tenant data crossing. No legal action against good-faith researchers — that’s our pledge.
Gladius Inc. · GladiusStone · 2026