Security

Security as architecture, not afterthought.

Every credential, every payload, every journal posting is engineered for an audit trail you can hand to a regulator. Here's the short version of what that means.

⚿

Encryption at rest

Field-level encryption for PII and tokens using libsodium secretbox. Searchable fields use HMAC-SHA256 blind indexes.

⇆

Encryption in transit

TLS 1.2+ required. HSTS preloadable. Internal service mesh communication is mTLS where applicable.

⛒

Zero PAN storage

Card numbers never touch our database. Payments tokenise via gateway (Stripe/Adyen/Auth.net), we store only brand + last4 + fingerprint.

⟳

Argon2id passwords

Memory-hard hashing with auto-rehash on policy change. Per-account and per-IP lockout. Timing-safe verification.

2FA

RFC 6238 TOTP

TOTP enrolment with manual secret entry. No third-party QR generation (your secret stays on our servers).

SSO

SAML / OAuth SSO

Enterprise tier supports SAML 2.0 and OAuth/OIDC. Group-to-role mapping is JSON-configured.

∎

Hash-chained audit

Every audit row links to its predecessor via SHA-256. Nightly cron walks the chain and alerts on breaks.

⌗

Tenant isolation

Every query is tenant-scoped. Hash chains never cross tenants. Audit chains never cross tenants. Period locks never cross tenants.

RBAC

Role-based access

Granular permissions per role. Branch-scoped role assignments. Sensitive operations require approval workflows.

Engineering controls in detail

Authentication

Argon2id hashing (memory 64MB, time 4, parallel 2)
Constant-time username lookup (no early return on missing user)
Per-IP and per-account lockout with sliding window
Session rotation on every state change
Sessions stored as sha256 of session_id; revocable server-side
MFA enrolment mandatory for finance, admin and approval roles

Application

All POSTs CSRF-protected (double-submit token + per-session secret)
Strict Content-Security-Policy, X-Content-Type-Options, Referrer-Policy
Prepared statements only — no string-built SQL anywhere in the codebase
HTML output escaped via central Security::e()
Rate-limited login, password reset, API, contact and webhook endpoints

Data

Field-level encryption for: email, phone, tax ID, MFA secret, payment tokens, passport/visa numbers
Blind indexes (HMAC-SHA256) for encrypted-but-searchable fields
Append-only audit log table — no rows ever updated or deleted
Per-tenant journal hash chain; tamper proof at row level
Period close locks: no entry can land in a closed period

Operations

SIEM-ready structured logging
SOC 2 controls roadmap (Type 1 then Type 2)
GDPR / CCPA right-to-erasure workflow with cascaded redaction
Backup snapshots; documented disaster-recovery RPO/RTO
Secrets in environment, not in code; rotated quarterly

For deep-dive whitepapers, penetration test summaries or our SOC 2 readiness package, contact us.