Security is
not optional.

Your customer data is the most sensitive asset in your business. Here's what we've actually built to protect it.

Security PracticesLast reviewed: Jun 2026
ACTIVE

Password hashing with bcrypt

All passwords are hashed using bcryptjs with a cost factor of 12 before storage. Plain-text passwords are never written to disk.

ACTIVE

JWT-based session management

Sessions are managed via signed JWTs (NextAuth v5). Tokens expire after 24 hours and are never stored server-side — only validated on each request.

ENFORCED

Role-based access control (RBAC)

Every user is assigned one or more roles. Each role maps to a precise set of named permissions. API routes check permissions on every request before executing business logic.

ACTIVE

Google OAuth 2.0

Users can authenticate via Google. Tokens are validated server-side using the OAuth 2.0 code flow with offline access. Credentials are never stored in the frontend.

ENFORCED

Workspace isolation (multi-tenancy)

All data is scoped to a workspaceId at the database level. Every query includes a workspace filter — cross-workspace data leakage is prevented by design.

ACTIVE

Encrypted transport (TLS)

All traffic between clients and the server is encrypted in transit via HTTPS/TLS. The X-Powered-By header is suppressed to reduce fingerprinting surface.

MONITORED

Auth metrics & anomaly tracking

Every authentication attempt, failure, and success is recorded via an internal metrics system. Failed login reasons (wrong password, missing hash, user not found) are logged for monitoring.

ACTIVE

Email masking in logs

Emails are masked (e.g. jo***@example.com) before being written to any log output, preventing PII leakage in server logs.

Report a Vulnerability

Found something? Report it responsibly at [email protected]. We respond within 24 hours.