Security is
not optional.
Your customer data is the most sensitive asset in your business. Here's what we've actually built to protect it.
Password hashing with bcrypt
All passwords are hashed using bcryptjs with a cost factor of 12 before storage. Plain-text passwords are never written to disk.
JWT-based session management
Sessions are managed via signed JWTs (NextAuth v5). Tokens expire after 24 hours and are never stored server-side — only validated on each request.
Role-based access control (RBAC)
Every user is assigned one or more roles. Each role maps to a precise set of named permissions. API routes check permissions on every request before executing business logic.
Google OAuth 2.0
Users can authenticate via Google. Tokens are validated server-side using the OAuth 2.0 code flow with offline access. Credentials are never stored in the frontend.
Workspace isolation (multi-tenancy)
All data is scoped to a workspaceId at the database level. Every query includes a workspace filter — cross-workspace data leakage is prevented by design.
Encrypted transport (TLS)
All traffic between clients and the server is encrypted in transit via HTTPS/TLS. The X-Powered-By header is suppressed to reduce fingerprinting surface.
Auth metrics & anomaly tracking
Every authentication attempt, failure, and success is recorded via an internal metrics system. Failed login reasons (wrong password, missing hash, user not found) are logged for monitoring.
Email masking in logs
Emails are masked (e.g. jo***@example.com) before being written to any log output, preventing PII leakage in server logs.
Found something? Report it responsibly at [email protected]. We respond within 24 hours.
