Security architecture built for confidential workflows

Authentication & session security

• Credential handling - Passwords are securely hashed and plaintext credentials are never stored or logged.
• Session model - Access uses secure session controls with protected storage and revocation support.
• Multi-factor authentication - MFA is available for all accounts and can be enabled in Profile & Security settings.
• Password recovery - Self-service reset uses secure, single-use email links and generic responses that avoid account enumeration.
• Session control - Users can review active sessions and revoke them from settings. Password changes invalidate existing sessions.

Abuse protection

• Rate limiting on authentication, password recovery, and sensitive API endpoints.
• Resend and recovery throttling to prevent spam and brute-force abuse patterns.
• Account enumeration resistance - login and recovery flows return generic responses that do not confirm account existence.

Data protection

• Tenant isolation - All workspace records carry organization scope enforced by database query filters.
• Field-level encryption - Sensitive profile and deal metadata is encrypted at rest.
• PII handling - Email addresses and names are masked in audit metadata and outbound notifications where appropriate.
• Client protection - Security-sensitive session artifacts are kept out of JavaScript-accessible application state.

Infrastructure

Monitored systems, health-checked dependencies, structured logging with sensitive data redaction, and secure object storage for document artifacts. All API traffic is served over HTTPS with security headers applied at the edge.