Security & Compliance

How we protect customer data.

Authentication

• OIDC via Keycloak (production); HS256 dev login for local development
• JWT access tokens with refresh-token rotation
• API keys for programmatic access (hashed at rest, plaintext shown once)
• Role-based access control: admin, finance_lead, analyst, reviewer, auditor

Tenant isolation

• Every authenticated request asserts the tenant claim from the JWT
• X-Tenant-ID header mismatches return 403 — no impersonation
• Service-layer query filters on every read/write
• Postgres row-level security as a defense-in-depth layer

Audit & evidence

• Immutable audit log of every authenticated request
• Per-tenant SHA-256 hash chain in the evidence vault — tamper-detectable
• CSV export for auditors with date / action / resource filters
• Document upload events stamped into the evidence chain automatically

Data protection

• TLS 1.3 in transit; encryption at rest (managed by your hosting provider)
• Webhook payloads signed with HMAC-SHA256 per subscription secret
• API key plaintext never persisted; only sha256 hash stored
• Refresh tokens explicitly rejected on protected endpoints

Compliance roadmap

• SOC 2 Type II audit — planned
• ISO 27001 alignment — planned
• GDPR data export + deletion — implemented at the API level

Questions? Contact our security team.