Authentication & sessions
- Federated sign-in (OAuth). SmartPRO does not store user passwords — authentication is delegated to an OAuth identity provider, so there is no local password database to breach.
- Session cookies are hardened. The session token is issued as an
httpOnlycookie (not readable by JavaScript), markedsecureover HTTPS, withSameSiteprotection, and scoped to the application domain.
Multi-factor authentication (MFA)
- TOTP-based MFA is supported for all users (compatible with Google Authenticator, Authy, etc.), with one-time backup codes.
- MFA secrets are encrypted at rest (AES-256-GCM) and protected against code replay.
- MFA is enforced for platform-administrator accounts. For regular company users it is currently optional (self-enrolment). Mandatory MFA for privileged company roles (admin/finance) is a recommended roadmap item.
Access control (RBAC) & tenant isolation
- Role-based access control with distinct roles:
company_admin,hr_admin,finance_admin,reviewer,external_auditor,company_member,client, plus platform-levelplatform_admin/super_admin. - Least-privilege mutations. Write operations pass through explicit guards (e.g. read-only
external_auditoraccounts are blocked from mutations). - Visibility scoping. Users see data only within their scope — company → department → team → self.
- Tenant isolation. Every record is scoped to a
company_id; one company cannot read another company's data.
Audit logging
- Tamper-evident audit trail. Sensitive actions — privilege changes, payroll approval/payment, attendance approvals, logins — are recorded with actor, action, entity, tenant, before/after values, and timestamp.
- Audit tables carry delete-protection so history cannot be quietly removed.
Abuse & rate-limiting
Endpoint-specific rate limits protect against brute-force and abuse, including tighter limits on authentication routes and signature-verified limits on inbound webhooks (payments, messaging).
Encryption
| Layer | Status |
|---|---|
| In transit | Enforced. HTTPS with HSTS (1-year, includeSubDomains, preload); insecure requests upgraded. |
| Secrets at rest (MFA secrets, third-party OAuth tokens) | Enforced. AES-256-GCM. |
| Employee PII at rest (salary, IBAN, civil ID, passport) | Infrastructure-level. Not field-encrypted in the application today; protected by access control + read-time redaction and by database/host encryption at the hosting layer. Application-level field encryption for the most sensitive fields is a recommended roadmap item. |
Do not claim field-level encryption of salary/IBAN/civil-ID in a customer or DPA context — it is not implemented in the application. State only transport encryption + access controls, and confirm database-at-rest encryption with your hosting provider.
Application security headers
Enforced in production: a strict Content-Security-Policy (no unsafe-eval, tight frame-src allow-list), X-Frame-Options: DENY (clickjacking protection), X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin. CORS is restricted to configured origins.
Secrets management
All secrets are supplied via environment variables (no hardcoded credentials). Production startup fails closed if critical secrets (database URL, signing key, encryption keys) are missing.
Responsible disclosure
Found a vulnerability? Email security@thesmartpro.io with details and reproduction steps. Please do not publicly disclose until we've had a reasonable window to remediate. (Confirm this mailbox is monitored before publishing.)