Security Practices

AES-256 encryption for all data at rest

TLS 1.2+ for all data in transit

Encrypted IndexedDB for offline data (Dexie.js encryption)

Secure cookie-based authentication (httpOnly, Secure, SameSite)

Hosted on Microsoft Azure (enterprise-grade)

Azure SQL Database with automated backups

Azure Key Vault for secrets management (RBAC)

Azure Container Registry with managed identity

PostgreSQL SSL enforced in production

JWT tokens via httpOnly cookies (no localStorage)

CSRF protection via Origin/Referer validation

Account lockout after 5 failed attempts (15-minute cooldown)

Role-based access control (RBAC)

Multi-tenant data isolation (company-scoped queries)

Zod schema validation on all API endpoints

DOMPurify XSS protection on user inputs

Content Security Policy (CSP) headers

HTTP Parameter Pollution (HPP) prevention

Rate limiting (1,000 requests/15 min per IP)

Request body size limit (1MB)

11 pre-commit quality gates

Comprehensive automated testing (unit, integration, contract, E2E)

High code coverage across backend and frontend

GitHub Actions CI/CD with SAST scanning

All GitHub Actions pinned to tagged versions

No test-skipping bypass in CI pipeline

GDPR compliant (data export, account deletion)

DPDPA 2023 compliant (India)

Data retention policies enforced

GDPR account deletion processor (automated)

Cookie consent management