Security
Product security model — auth, RBAC, secrets, connectors, evidence limits.
Security
Source: app_docs/guide/security-model.md, app_docs/api.md (conventions), app_docs/guide/faq.md.
Aligns with the marketing Security page.
Why it exists
Erasure holds consent proof, privacy requests, connector credentials, and evidence. Security is part of the product contract.
Architecture assumptions
- Modular monolith; one Postgres
- Operators use the console; subjects use public intake / SDK
- Worker has network access to customer systems you configure
Authentication
| Actor | Mechanism |
|---|---|
| Operator | Session bearer token; password scrypt; login uses dummy scrypt for missing users (timing) |
| SDK | Publishable key hash lookup |
| Rights subject | OTP email; code hashed at rest |
| Billing webhook | Razorpay HMAC |
Sessions: opaque tokens, hashed in DB, ~30-day TTL; password change revokes all.
Browser storage (Closed Beta): token currently in localStorage—treat XSS as critical; CSP enforced. Cookie migration planned for GA—not shipped.
Password minimum length: 12.
Auth HTTP
See Authentication API for register/login/logout/me/password paths and status codes.
Authorization (RBAC)
| Role | Can |
|---|---|
| Owner | All + billing, publishable keys, secret rotation |
| Admin | Read + write (projects, consent, rights, systems, maps) |
| Viewer | Read only |
Enforced on platform mutating routes. Non-members get 404 (no org leak); wrong role 403.
Multi-tenancy
Org membership gates org data; project access via org; Cases scoped by organizationId; receipts by projectId.
Cross-tenant reads must fail closed.
Secrets & encryption
| Secret | Storage |
|---|---|
| Passwords | scrypt |
| Sessions / publishable keys | SHA-256 hash |
| Connector credentials | AES-256-GCM (CONNECTOR_SECRETS_KEY) |
| Anumati webhook signing secrets | Same AES-GCM |
| OTP | SHA-256 hash; email only |
OTP (Rights intake)
- Expiry, attempt limits, outstanding challenge caps
- Single-use (mark used before case create)
- Rate limits IP + email
- Production: Resend; demo OTP forbidden in production
Webhooks
- Anumati: HMAC signature header (
X-Anumati-Signature); SSRF checks; no redirects - Signing secrets encrypted at rest
Connectors
- SQL identifier allowlist + parameterized values
- Production TLS required on SQL URLs (unless documented insecure private-network flag)
- HTTP base URLs SSRF-checked
- Worker egress should be controlled
Headers
Middleware sets CSP, HSTS (prod), frame deny, nosniff, etc. Details in engineering security.md.
Rate limits (summary)
Auth, register, publish, publishable key create, SDK config/consent, Rights intake—all limited.
429 responses include Retry-After and X-RateLimit-* headers (platform/SDK shapes documented in api.md).
Evidence limits
Evidence packages are exportable operational records—not a cryptographically sealed legal WORM archive in Beta.
Evidence is not a SIEM and not proof about unconnected systems.
Multi-tenant SaaS vs isolation
Architecture supports multi-tenant orgs in one deploy. For Closed Beta, isolate workers and trust RBAC + network policy (see security postfix audit references in product docs).
Migrating environments
Documented FAQ path:
- Migrate Postgres.
- Copy
CONNECTOR_SECRETS_KEYor re-enter secrets. - Reconfigure publishable keys (raw keys not recoverable).
- Point SDK origin at the new host.
Responsible disclosure
Report vulnerabilities privately to maintainers. Do not use production customer data in tests. Use your established Erasure contact until a public security mailbox is published.
Related
Marketing Security page · API · Production checklist · Troubleshooting