Security Is Our Foundation
As a compliance platform, AuditLink holds itself to the same standards we help you achieve. The controls below are not aspirations — they are shipped, exercised, and verified.
Infrastructure & Encryption
Tenant data is encrypted in flight and at rest, and tenant boundaries are enforced at the database layer — not just in application code.
TLS 1.3 + HSTS Preload
All traffic terminates with TLS 1.3 and HTTP Strict Transport Security with preload. Browsers refuse to talk to us unencrypted, even on a first visit.
Encryption at Rest
Customer data is encrypted at rest by our database (Neon) and object storage (Vercel Blob) providers. High-sensitivity application secrets — TOTP seeds, SCIM bearer tokens, API tokens — are additionally protected with AES-256-GCM or bcrypt at the application layer.
Database-enforced Tenant Isolation
Every tenant-scoped table has a Postgres Row-Level Security policy. Even if application code makes a mistake, the database refuses cross-tenant queries. Tested via an automated isolation probe.
Rate Limiting
Login attempts, attachment downloads, and inbound webhooks are rate-limited at the edge with sliding-window counters. Breaches are recorded in the audit log and can trigger Slack alerts.
Authentication & Access
Multiple gates, monitored continuously. Every authenticated action is attributable; every privileged action is logged.
TOTP Multi-factor Authentication
Time-based one-time passwords (RFC 6238) using any authenticator app. TOTP seeds are AES-256-GCM encrypted at rest. Tenant administrators can require 2FA tenant-wide.
Session Idle Timeout
Sessions auto-expire after 30 minutes of inactivity. Activity is tracked server-side; the timeout is configurable per deployment.
Account Lockout
Repeated failed login attempts trigger an automatic lockout, recorded in the audit log with WARNING severity and surfaced via the suspicious-activity rule engine.
SAML 2.0 SSO + SCIM 2.0
Enterprise tenants can require Okta, Azure AD, OneLogin, JumpCloud, or any SAML 2.0 identity provider. SCIM 2.0 endpoints handle automatic user lifecycle (provision, deprovision, group → role mapping).
Granular Role-based Access
Permissions are checked on every server action and API route — not just on routes. The cross-tenant staff role is impersonation-only and write-blocked by design.
Scoped API Tokens
Customers issue API tokens with least-privilege scopes (e.g. audit-log:read only). Tokens are bcrypt-hashed at rest, shown once at creation, and forensically traceable via last-used timestamp + IP.
Logging, Monitoring & Detection
A complete audit trail that even privileged users cannot rewrite, plus automated detection of suspicious patterns.
Database-enforced Immutable Audit Log
A Postgres BEFORE-UPDATE/DELETE trigger raises an exception on any attempt to modify an audit-log row. The bypass procedure exists only for documented retention purges and is itself audit-logged.
Tenant-accessible Audit Log
Customers self-serve a search UI with date / user / entity / action filters and CSV export — no support ticket required. Useful for SOC 2 questionnaire responses and internal investigations.
Suspicious-activity Rule Engine
A rules engine evaluates the audit log every 5 minutes for failed-login bursts, account lockouts, bulk exports, privileged role changes, and CRITICAL-severity events. Matches dispatch to Slack with deduped fingerprints.
Live Health Dashboard
Cron freshness, immutability-trigger health, GDPR pipeline state, and per-tenant anomaly detection are surfaced to operators in a single view. Silent failures get caught.
Data Protection & Privacy
GDPR-aligned customer-facing workflows for the right to erasure (Article 17) and the right to portability (Article 20).
GDPR Article 17 — Erasure
Tenant admins request user deletion in-app. A 7-day grace period allows reversal; after grace, an automated worker anonymizes audit-log entries (preserving trail integrity), cascades cleanup, and hard-deletes the user.
GDPR Article 20 — Portability
Tenant admins request a JSON export of any user. The export worker assembles profile, comments, findings, and assignment history into an archive with a 24-hour signed download URL.
Forensic Soft Delete
Deleted entities (audits, controls, attachments, comments) are preserved with a deletedAt marker so investigations can look back. Permanent deletion additionally wipes the underlying file from object storage.
Data Residency
Customer data is stored in our US (us-east-1) primary region. EU data residency is on our roadmap for enterprise customers — contact us to discuss.
Operational Security
Security controls applied to how we build, deploy, and operate the platform.
Continuous Dependency Scanning
Snyk runs on every pull request, every push to main, and nightly. The CI gate fails on any HIGH or CRITICAL CVE. snyk monitor catches newly-disclosed vulnerabilities in already-merged code.
Reviewed, Tested Changes Only
Production changes flow through pull request, code review, automated typecheck + build + security scan, and platform-deploy auditability. Emergency-change carve-out is documented and recorded.
Quarterly Backup-restore Drill
A scheduled job creates a Neon recovery branch (point-in-time restore), runs read-only smoke checks against the restored copy (row counts, RLS policies, immutability trigger, migration completeness), and deletes the branch. Run history is retained 365 days.
Documented Incident Response
Severity tiers, named on-call roles, NIST-aligned response phases, and a 72-hour customer-notification commitment for confirmed personal-data exposure.
Hardened HTTP Headers
Strict CSP baseline, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener/Resource-Policy ship as defense-in-depth against XSS, clickjacking, and Spectre-class attacks.
Verified Webhooks
Inbound webhooks (Stripe, integrations) require valid signatures verified with constant-time comparison. Misconfigured webhooks fail closed (412 Precondition Failed) — never silently accepted.
Transparency
We publish what we use, who we share data with, and how to reach us when something looks wrong.
Public Sub-processor List
Every third-party that processes customer data is listed publicly with purpose, region, and data categories — at /legal/subprocessors. New sub-processors are notified 30 days in advance.
Coordinated Vulnerability Disclosure
Our /.well-known/security.txt advertises the security contact and our disclosure policy. Researchers acting in good faith are acknowledged within 2 business days.
Proactive Customer Communication
Status-page updates for availability incidents; per-tenant email for security events that affect customer data; advance notice for sub-processor changes.
Certifications & Compliance
AuditLink maintains industry-standard certifications and compliance attestations.
SOC 2 Type I
In active preparation. Type I attestation expected to follow leadership sign-off on policies and engagement of an audit firm.
SOC 2 Type II
Type II observation window begins after Type I attestation. Pursuing coverage of Security, Availability, and Confidentiality Trust Services Criteria.
ISO 27001
On the roadmap. The application-layer controls already align to ISO/IEC 27001:2022 Annex A controls; remaining work is the management-system documentation.
GDPR Aligned
Article 17 (erasure) and Article 20 (portability) workflows are shipped and customer-accessible. Data Processing Addendum available on request.
Trust Resources
Specifics, contacts, and disclosure paths for customers, prospects, and security researchers.
Sub-processors
Every third-party that processes customer data, with purpose, region, and data categories.
View list →Vulnerability Disclosure
RFC 9116 security.txt advertises our security contact and the policy researchers should follow.
Read security.txt →Security Contact
For coordinated disclosure, customer security questionnaires, and DPA requests.
security@auditlink.io →Security You Can Trust
AuditLink is built with the same security rigor we help you achieve.
View Plans