Forensic-grade logging
Searchable from the admin UI; filterable by user, entity, or time range. Survives the request that wrote it. Used to power forensics after security incidents.
Security & compliance
Hardened against
the OWASP top ten.
By default.
Security is enforced at every layer — not as a feature add-on, but as the default shape of every code path. Every request goes through the same bootstrap; every state-changing form requires a CSRF token; every SQL statement uses parameter binding.
| Threat | Mitigation |
|---|---|
| SQL injection | PDO prepared statements everywhere. No string-concatenated SQL anywhere in user-facing code paths. Schema enforced via INFORMATION_SCHEMA at runtime. |
| Cross-site scripting (XSS) | All user-controlled output runs through e() (htmlspecialchars) by convention. Content-Security-Policy and X-Content-Type-Options headers set globally. |
| Cross-site request forgery (CSRF) | Every POST form includes a per-session CSRF token; csrf_required() validates before any handler runs. |
| Brute-force credentials | Admin login records login_attempts + last_failed_login_at; configurable lockout window blocks further attempts after threshold. Partner-side throttle on the roadmap. |
| Session hijacking | Session cookie is Secure, HttpOnly, SameSite=Lax. session_regenerate_id() called at every authentication boundary. Cookies expire on a strict TTL. |
| Transport layer | HTTPS enforced. HSTS-eligible. Self-checked at /system-health. |
| Privilege escalation | Fine-grained permission system (~80 named permissions). Every admin and partner-user has an explicit allow-list. require_permission() enforced at every handler entry. |
| Clickjacking | X-Frame-Options: SAMEORIGIN. Permissions-Policy locks down geolocation, camera (self-only for in-browser capture), microphone (self-only for voice notes), and display-capture. |
| Credential leak via UI | Partner-owned gateway secrets (access tokens, app secrets, SMTP passwords) are write-only from the admin UI. Once stored, the input field returns to placeholder. Display routes never return them in plaintext. |
| Sensitive data exposure | Server-only folders (/includes, /db) blocked at the .htaccess layer. /uploads cannot execute PHP. Direct file-extension URL access redirected to extensionless form. |
Audit & evidence
Every action.
Every action.
Every actor.
Every payload.
Every admin action mutates a row in audit_logs with the actor, timestamp, IP address, entity affected, and the action taken — enabling post-incident forensics, regulatory reporting, and internal compliance reviews.
Out-of-band OTP
Sensitive operations — data deletion, credential rotation, partner suspension — require an out-of-band OTP confirmation before they proceed. Required for the actor regardless of role.
Payload diffs
Audit rows capture the full payload diff, not just the action name. Reconstruct exactly what changed and what it was before, without having to inspect application code.
Compliance roadmap
Controls in place.
Controls in place.
Evidence in progress.
Most controls (audit logging, access control, encryption, change management) are already implemented. The path to SOC 2 Type II and ISO 27001 in 2026 is mainly evidence-gathering, not net-new work.
/ 01
SOC 2 Type II
Audit window opens in 2026. Most Trust Service Criteria controls (access control, change management, system monitoring, incident response) are already operational and instrumented. The bulk of audit prep is collecting evidence for the auditor.
/ 02
ISO 27001
Information Security Management System (ISMS) controls implemented in parallel with SOC 2; certification path scoped for 2026 alongside SOC 2.
/ 03
GDPR / India PDPB
Per-region data residency in development; customers will be able to choose region for data at rest (EU, US, APAC) — important for GDPR-bound and Indian Personal Data Protection Bill workloads.
/ 04
Native SSO
Auth abstraction ready for SAML 2.0 and OIDC. Okta, Azure AD, Google Workspace, and generic SAML providers will plug in per tenant.
Security review
Send us your
Send us your
questionnaire.
We respond same-week.
Procurement security reviews are part of every enterprise deal we do. Send us your standard questionnaire — CAIQ, SIG, vendor risk assessment, anything — and we'll come back with a populated response and a call on anything that needs discussion.