Data Security
DPO Central is built with defense-in-depth across every layer. As a privacy management platform handling assessment results, incident records, vendor contracts, and data subject requests, security is a foundational requirement — not an afterthought.
Identity & Access
Authentication, authorization, and session management
- Multi-provider sign-in via Google OAuth and email magic links
- Stateless JWT sessions — no server-side session state to compromise
- OAuth tokens are never persisted to the database
- Account isolation — each sign-in method is kept separate
- Cross-app SSO via secure, scoped session cookies
No passwords are stored. Authentication is delegated to trusted identity providers or cryptographically signed magic links.
- Strict multi-tenancy — every query is scoped to your organization
- Five-tier role hierarchy: Owner, Admin, Privacy Officer, Member, Viewer
- Role-based enforcement on all create, update, and delete operations
- Destructive actions restricted to Admins and Owners only
- No raw SQL — all access via parameterized ORM queries
All database access uses parameterized ORM queries. SQL injection is structurally prevented, not just mitigated.
Application Security
Input handling, API protection, and abuse prevention
- Schema validation on every API endpoint
- HTML sanitization on all public-facing inputs
- Parameterized database queries prevent SQL injection
- Validation error details hidden in production
- Timing-safe API key verification on administrative endpoints
- Payload size validation on batch operations
- Token expiry enforcement on all vendor questionnaire operations
- Public DSAR portal validates active configuration before accepting submissions
API key comparisons use constant-time algorithms to prevent timing attacks on administrative endpoints.
- Authentication endpoints throttled against credential stuffing
- Checkout and billing routes protected against payment fraud
- Public submission endpoints throttled to prevent spam
- Proper 429 responses with Retry-After headers
Data Protection
Transport security, audit logging, minimization, and payment handling
- HSTS with 2-year duration, subdomains, and preload
- Content Security Policy with per-request nonces
- Clickjacking protection via X-Frame-Options: DENY
- MIME sniffing prevention and strict referrer policy
- Camera, microphone, and geolocation disabled by policy
CSP nonces are generated per request, preventing inline script injection even if an attacker finds an XSS vector.
- Comprehensive logging for all create, update, and delete operations
- Administrative actions logged with full metadata
- Structured production logging with no stack traces or sensitive context
- API responses return only the fields needed by the interface
- Sensitive keys are masked in administrative views
- Public email domains blocked from automatic organization membership
- Stripe webhook signature verification via HMAC-SHA256
- Server-side checkout prevents client-side price manipulation
- Entitlements automatically suspended on payment failure
Infrastructure
Hosting, encryption, and environment isolation
- Hosted on Vercel with automatic TLS and global edge network
- PostgreSQL database with encrypted connections
- Environment secrets excluded from client bundles
- Development-only endpoints gated by runtime environment checks
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly. Do not open a public issue. Contact us directly at the email address listed in the repository.