Security

1. Overview

At Verity Audit, security is a top priority. We implement multiple layers of protection to ensure your audit data remains safe and confidential. This page describes the security measures we have in place.

2. Authentication & Access Control

2.1 Password Security

• Secure Hashing: All passwords are hashed using bcrypt with salt. We never store passwords in plain text.
• Strong Password Requirements: Minimum 8 characters with uppercase, lowercase, number, and special character required.
• Common Password Blocking: Weak and commonly-used passwords are automatically rejected.

2.2 Session Management

• Secure, httpOnly cookies that cannot be accessed by JavaScript
• Sessions stored in database (not memory) for reliability
• Automatic session expiration for security

2.3 Brute Force Protection

• Login Rate Limiting: Repeated failed login attempts are automatically blocked
• Password Reset Limiting: Rate limiting prevents abuse of password reset functionality
• Signup Limiting: Rate limiting prevents automated account creation

2.4 Role-Based Access Control

We implement 5 distinct user roles with granular permissions:

• System Admin: Platform administration
• Head of Audit: Full audit management capabilities
• Manager: Issue verification and team oversight
• Auditor: Fieldwork and documentation
• Auditee: View-only access to relevant findings

3. Application Security

3.1 Protection Against Common Attacks

• SQL Injection: All database queries use parameterized statements
• Cross-Site Scripting (XSS): Input sanitization and Content Security Policy
• Cross-Site Request Forgery (CSRF): Token-based protection on all forms
• Clickjacking: X-Frame-Options header prevents embedding in malicious sites

3.2 Security Headers

We implement comprehensive HTTP security headers:

• Content-Security-Policy: Controls which resources can be loaded
• Strict-Transport-Security (HSTS): Enforces HTTPS connections (1 year max-age)
• X-Frame-Options: Prevents clickjacking attacks
• X-Content-Type-Options: Prevents MIME sniffing
• X-XSS-Protection: Additional XSS protection for older browsers
• Referrer-Policy: Controls referrer information
• Permissions-Policy: Disables unnecessary browser features

4. Data Security

4.1 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS). We enforce HTTPS-only connections.

4.2 Multi-Tenant Data Isolation

Each organization's data is logically separated using organization-level access controls. Users can only access data belonging to their own organization. Every database query is filtered by organization ID.

4.3 Data Ownership

You retain full ownership of all data you upload to Verity Audit. We do not sell, share, or use your audit data for any purpose other than providing the service to you.

5. Infrastructure

5.1 Hosting

• Cloud Provider: DigitalOcean (enterprise-grade data centers)
• CDN & DDoS Protection: Cloudflare
• Database: Managed database with connection pooling

5.2 Backups

• Automated daily database backups
• Backups retained for disaster recovery
• Tested recovery procedures

5.3 Monitoring

• Application uptime monitoring
• Error logging and alerting
• Security audit logging (failed logins, password changes, admin actions)

6. Compliance

Verity Audit is designed to support internal audit functions in accordance with the Global Internal Audit Standards (GIAS). Our workflow covers the complete audit lifecycle from planning through follow-up.

7. Responsible Disclosure

We take security seriously. If you discover a security vulnerability, please report it responsibly:

• Email: [email protected]
• Provide detailed information about the vulnerability
• Allow reasonable time for us to investigate and fix the issue before public disclosure

8. Questions

If you have security questions or need additional information for your procurement process, please contact us at [email protected].