ErasureDocs
Security

Security

Product security model — auth, RBAC, secrets, connectors, evidence limits.

Security

Source: app_docs/guide/security-model.md, app_docs/api.md (conventions), app_docs/guide/faq.md.
Aligns with the marketing Security page.

Why it exists

Erasure holds consent proof, privacy requests, connector credentials, and evidence. Security is part of the product contract.

Architecture assumptions

  • Modular monolith; one Postgres
  • Operators use the console; subjects use public intake / SDK
  • Worker has network access to customer systems you configure

Authentication

ActorMechanism
OperatorSession bearer token; password scrypt; login uses dummy scrypt for missing users (timing)
SDKPublishable key hash lookup
Rights subjectOTP email; code hashed at rest
Billing webhookRazorpay HMAC

Sessions: opaque tokens, hashed in DB, ~30-day TTL; password change revokes all.
Browser storage (Closed Beta): token currently in localStorage—treat XSS as critical; CSP enforced. Cookie migration planned for GA—not shipped.

Password minimum length: 12.

Auth HTTP

See Authentication API for register/login/logout/me/password paths and status codes.

Authorization (RBAC)

RoleCan
OwnerAll + billing, publishable keys, secret rotation
AdminRead + write (projects, consent, rights, systems, maps)
ViewerRead only

Enforced on platform mutating routes. Non-members get 404 (no org leak); wrong role 403.

Multi-tenancy

Org membership gates org data; project access via org; Cases scoped by organizationId; receipts by projectId.
Cross-tenant reads must fail closed.

Secrets & encryption

SecretStorage
Passwordsscrypt
Sessions / publishable keysSHA-256 hash
Connector credentialsAES-256-GCM (CONNECTOR_SECRETS_KEY)
Anumati webhook signing secretsSame AES-GCM
OTPSHA-256 hash; email only

OTP (Rights intake)

  • Expiry, attempt limits, outstanding challenge caps
  • Single-use (mark used before case create)
  • Rate limits IP + email
  • Production: Resend; demo OTP forbidden in production

Webhooks

  • Anumati: HMAC signature header (X-Anumati-Signature); SSRF checks; no redirects
  • Signing secrets encrypted at rest

Connectors

  • SQL identifier allowlist + parameterized values
  • Production TLS required on SQL URLs (unless documented insecure private-network flag)
  • HTTP base URLs SSRF-checked
  • Worker egress should be controlled

Headers

Middleware sets CSP, HSTS (prod), frame deny, nosniff, etc. Details in engineering security.md.

Rate limits (summary)

Auth, register, publish, publishable key create, SDK config/consent, Rights intake—all limited.
429 responses include Retry-After and X-RateLimit-* headers (platform/SDK shapes documented in api.md).

Evidence limits

Evidence packages are exportable operational records—not a cryptographically sealed legal WORM archive in Beta.
Evidence is not a SIEM and not proof about unconnected systems.

Multi-tenant SaaS vs isolation

Architecture supports multi-tenant orgs in one deploy. For Closed Beta, isolate workers and trust RBAC + network policy (see security postfix audit references in product docs).

Migrating environments

Documented FAQ path:

  1. Migrate Postgres.
  2. Copy CONNECTOR_SECRETS_KEY or re-enter secrets.
  3. Reconfigure publishable keys (raw keys not recoverable).
  4. Point SDK origin at the new host.

Responsible disclosure

Report vulnerabilities privately to maintainers. Do not use production customer data in tests. Use your established Erasure contact until a public security mailbox is published.

Marketing Security page · API · Production checklist · Troubleshooting