Security
Document trust starts with serious security.
We don't roll our own crypto. We use audited primitives and maintained libraries, and we separate what the system controls from what it delegates to an HSM/KMS or QTSP.
Reference standards
- OWASP ASVS 5.0 (Application Security Verification Standard)
- OWASP API Security Top 10
- OWASP Top 10
- NIST SP 800-57 — cryptographic key management
- NIST SP 800-63B — authentication and identity management
- TLS 1.3 mandatory in production
- RFC 3161 — qualified timestamping
- ETSI EN 319 142 (PAdES)
Core controls
Authentication
- · Argon2id for password hashing
- · Refresh-token rotation with reuse detection
- · TOTP MFA ready
- · Lockout and per-attempt rate limiting
- · Signed JWT sessions with explicit audience and issuer
Data at rest
- · Encryption at the object-store level
- · Logical immutability for signed artifacts
- · Versioning of critical objects
- · Retention policy per plan and per document type
Data in transit
- · TLS 1.3 (HSTS, preload-ready)
- · Security headers managed by Helmet
- · Restrictive CORS allowlist
- · No third-party cookies
Multi-tenant
- · Mandatory organizationId isolation on every query
- · Cross-tenant validation on every operation
- · Automated isolation tests
- · No cross-institution access, even for super admins, without an audit trail
Public verification
- · Rate limiting per IP and per CSV
- · Optional captcha for sustained abuse
- · Anti-enumeration: malformed CSVs rejected upfront
- · No sensitive information leakage
Traceability
- · Append-only audit trail
- · Per-institution hash chain (tamper-evident)
- · Correlation IDs in logs and responses
- · No secrets or unnecessary PII in logs