Security Policy

This Security Policy describes the security measures, practices, and commitments of Auditrail ("we," "our," or "us") to protect your data and ensure the security of our compliance tool service ("Service").

### 2.1 Multi-Tenant Isolation - **Zero Cross-Tenant Data Access:** All data is scoped by organization_id. Every database query is filtered by organization ownership. No cross-tenant access is possible. - **Organization Context from Auth:** Organization ID is derived exclusively from authentication session context, never from request payloads. Request data cannot override organization scope. - **Storage Isolation:** Evidence and exports are stored in organization-specific directories: - Evidence: `organizations/{organization_id}/evidence/` - Exports: `organizations/{organization_id}/exports/` ### 2.2 Authentication and Access Control - **WorkOS Integration:** Enterprise SSO and authentication managed through WorkOS AuthKit - **Session-Based Authentication:** Secure session management with proper expiration - **Organization Membership Required:** Access to organization data requires valid membership - **Role-Based Access:** Organization administrators can manage member access and roles ### 2.3 Data Protection - **Encryption in Transit:** All data transmission uses HTTPS/TLS encryption - **Secure Storage:** Data stored in secure, access-controlled environments - **UUID Filenames:** Evidence files use UUIDs to prevent collisions and enumeration - **Query-Level Filtering:** All database queries automatically filter by organization_id

### 3.1 Infrastructure Security - **Hosting:** Service hosted on secure cloud infrastructure - **Network Security:** Firewalls and network segmentation - **DDoS Protection:** Protection against distributed denial-of-service attacks - **Regular Updates:** Infrastructure and dependencies kept up to date with security patches ### 3.2 Application Security - **Input Validation:** All user inputs are validated and sanitized - **CSRF Protection:** Cross-site request forgery protection enabled - **SQL Injection Prevention:** Parameterized queries and ORM usage - **XSS Protection:** Content Security Policy and output encoding ### 3.3 Code Security - **Secure Development Practices:** Code reviews and security-focused development - **Dependency Management:** Regular updates of dependencies with security patches - **Vulnerability Scanning:** Regular security assessments and vulnerability scans

### 4.1 Data Types Stored - **Evidence Files:** PDFs, DOCX, images, text notes uploaded by users - **Control Mappings:** Links between evidence and compliance controls - **Export Packages:** Deterministic ZIP files with organized evidence - **Metadata:** File names, descriptions, timestamps, organization context ### 4.2 Data Storage Practices - **Organization Scoping:** All data stored in organization-specific paths - **Backup Procedures:** Regular backups with retention policies (details available on request) - **Data Retention:** Data retained for as long as accounts are active - **Deletion:** Deleted data removed from active storage; may remain in backups for up to 90 days ### 4.3 Export Safety - **Deterministic Exports:** Point-in-time snapshots with repeatable structure - **Organization-Only Evidence:** Exports contain only evidence from the requesting organization - **No Cross-Tenant Data:** Export jobs never access data outside their organization directory - **Secure Download:** Export packages available only to authorized organization members

### 5.1 User Authentication - **WorkOS AuthKit:** Enterprise-grade authentication and SSO - **Session Management:** Secure session handling with proper expiration - **Password Policies:** Managed by WorkOS (if applicable) ### 5.2 Organization Access - **Membership Required:** Users must be members of an organization to access its data - **Framework Ownership:** Framework access validated against organization ownership - **Administrative Controls:** Organization administrators can manage members and access ### 5.3 API Security - **Authentication Required:** All API endpoints require valid authentication - **Organization Context:** API requests automatically scoped to user's organization - **Rate Limiting:** Protection against abuse and excessive requests

### 6.1 Security Monitoring - **Logging:** Comprehensive logging of security-relevant events - **Anomaly Detection:** Monitoring for unusual access patterns - **Audit Trails:** Logs of data access and modifications ### 6.2 Incident Response - **Incident Response Plan:** Procedures for detecting, responding to, and recovering from security incidents - **Notification:** Affected users notified of security incidents as required by law - **Remediation:** Prompt action to address and mitigate security issues ### 6.3 Vulnerability Reporting - **Responsible Disclosure:** We welcome responsible disclosure of security vulnerabilities - **Reporting:** Security issues should be reported to security@auditrail.eu - **Response Time:** We aim to acknowledge reports within 48 hours

### 7.1 Compliance Frameworks - **ISO 27001:** We follow ISO 27001 security management principles (certification status available on request) - **GDPR Compliance:** Data handling practices aligned with GDPR requirements - **SOC 2:** Security practices aligned with SOC 2 Type II principles (certification status available on request) ### 7.2 Data Processing Agreements - **DPAs Available:** Data Processing Agreements available for enterprise customers - **Subprocessor List:** List of subprocessors available on request

### 8.1 Backup Procedures - **Regular Backups:** Regular automated backups of data and systems - **Backup Retention:** Backups retained according to our retention policy - **Backup Security:** Backups stored securely with access controls ### 8.2 Disaster Recovery - **Recovery Procedures:** Documented procedures for disaster recovery - **Recovery Time Objectives:** Recovery objectives defined and tested - **Business Continuity:** Plans to maintain service availability **Note:** Specific backup and retention details are available on request for enterprise customers.

### 9.1 Service Providers We use the following third-party services: - **WorkOS:** Authentication and SSO services - **Paddle:** Payment processing - **Hosting Provider:** Cloud infrastructure services ### 9.2 Security Assessments - **Vendor Security:** We assess the security practices of third-party providers - **Contractual Obligations:** Service providers are contractually obligated to protect data - **Subprocessor Management:** Regular review of subprocessor security practices

### 10.1 Employee Training - **Security Awareness:** Regular security training for employees - **Best Practices:** Employees trained on security best practices - **Incident Response:** Training on incident detection and response ### 10.2 Development Practices - **Secure Coding:** Developers trained on secure coding practices - **Code Reviews:** Security considerations in code review process - **Security Testing:** Security testing integrated into development process

### 11.1 Account Security - **Strong Credentials:** Use strong, unique passwords - **Account Access:** Protect your account credentials - **Member Management:** Ensure only authorized personnel have organization access ### 11.2 Data Security - **Sensitive Data:** Be mindful of sensitive data you upload - **Access Control:** Manage organization membership appropriately - **Backup:** Maintain your own backups of critical data

For security concerns, questions, or to report vulnerabilities: - **Email:** security@auditrail.eu - **Response Time:** We aim to respond within 48 hours - **PGP Key:** Available on request for encrypted communications

- We may update this Security Policy from time to time - Material changes will be communicated via email or Service notification - The "Effective Date" at the top indicates when the policy was last updated

- [Privacy Policy](/privacy-policy) - How we handle your personal information - [Terms of Service](/terms-of-service) - Terms governing your use of the Service - [Cookie Policy](/cookie-policy) - Our use of cookies and tracking technologies