Security
Built for sensitive evidence, controlled sharing, and operational accountability.
SecurityPassport is designed to help teams manage compliance and security evidence with clear access boundaries, verifiable activity history, and practical controls for day-to-day trust operations.
Access and identity
- JWT-based authentication with secure cookie login flow
- Role-aware tenant membership and scoped access control
- Verified-email enforcement on sensitive actions
- Login lockout and rate limiting protections
Evidence and sharing
- Tenant-scoped evidence records and file storage
- Revocable share links for external review workflows
- Export generation for audit and trust-pack delivery
- Evidence freshness and lifecycle visibility
Operational visibility
- Audit logging across evidence, exports, invites, and admin actions
- Request logging and error monitoring support
- Tenant lifecycle controls including warn, disable, and archive states
- Billing-aware enforcement and quota controls
Infrastructure controls
- TLS in production for data in transit
- Private code repository and controlled onboarding model
- Environment-based infrastructure and storage configuration
- Production email verification, reset, and invite workflows
Security model overview
Tenant isolation
Tenant context is enforced per request and operational data is scoped to tenant ownership throughout the application.
Traceability
Core actions are logged to support accountability, review workflows, and incident investigation.
Controlled exposure
Evidence sharing uses purpose-built links and revocation instead of uncontrolled document distribution.
Responsible disclosure
If you believe you have identified a security issue, please report it responsibly and include enough detail for reproduction and triage.