Security & Compliance

Table of Contents

  1. Authentication
    1. Password Security
    2. JWT Tokens
    3. Multi-Factor Authentication
    4. SSO/SAML
  2. Authorization
    1. Role-Based Access Control
    2. Resource Permissions
  3. Data Protection
    1. Encryption at Rest
    2. Encryption in Transit
    3. Data Isolation
  4. Compliance
    1. HIPAA
    2. SOC 2 Type II
    3. GDPR
    4. CCPA
    5. FERPA
  5. Security Headers
  6. Rate Limiting
  7. Audit Logging
  8. Vulnerability Reporting

Authentication

Password Security

  • Algorithm: Argon2id (memory-hard)
  • Parameters: m=19456, t=2, p=1
  • Requirements:
    • Minimum 12 characters
    • At least 1 uppercase, 1 lowercase, 1 number, 1 special character
    • Not in common password lists

JWT Tokens

  • Access Token: 1 hour expiry
  • Refresh Token: 30 days expiry
  • Rotation: New refresh token on each use
  • Blacklisting: Revoked tokens stored in database

Multi-Factor Authentication

  • Method: TOTP (RFC 6238)
  • Apps: Google Authenticator, Authy, 1Password
  • Backup Codes: 10 single-use recovery codes

SSO/SAML

Supported providers:

  • Okta
  • Azure AD
  • Google Workspace
  • OneLogin
  • Custom SAML 2.0

Configuration:

POST /api/v1/sso/config
{
  "provider": "okta",
  "entity_id": "https://your-app.okta.com/...",
  "sso_url": "https://your-app.okta.com/app/.../sso/saml",
  "certificate": "-----BEGIN CERTIFICATE-----..."
}

Authorization

Role-Based Access Control

Role Permissions
Admin Full access, user management, settings
Editor Create/edit meetings, manage transcripts
Viewer View meetings and transcripts
Guest View shared content only

Resource Permissions

  • Meetings: Owner, participants, organization members
  • Transcripts: Inherit from meeting
  • Comments: Meeting participants

Data Protection

Encryption at Rest

  • Database: Aegis-DB with AES-256-GCM
  • File Storage: Encrypted at rest (S3 SSE or local encryption)
  • Field-Level: Sensitive fields encrypted with separate keys

Encryption in Transit

  • TLS 1.3: Required for all connections
  • Certificate: Valid SSL certificate required
  • HSTS: Strict Transport Security enabled

Data Isolation

  • Multi-tenant architecture with organization-level isolation
  • Row-level security in database
  • Separate encryption keys per organization

Compliance

HIPAA

Requirement Implementation
Audit Logging 6-year retention of all PHI access
Access Controls RBAC with minimum necessary principle
Encryption AES-256-GCM for data at rest and in transit
BAA Tracking Business Associate Agreement management
Breach Detection Automated monitoring and alerting

Enable HIPAA mode:

[compliance.hipaa]
enabled = true
audit_retention_years = 6

SOC 2 Type II

Control Implementation
CC6.1 - Logical Access RBAC, MFA enforcement
CC6.2 - Authentication Argon2id, TOTP MFA
CC6.3 - Access Reviews Periodic certification workflows
CC7.1 - System Monitoring Security event logging
CC7.2 - Incident Response Incident tracking
CC8.1 - Vendor Management Third-party risk assessment

GDPR

Right Implementation
Right to Access Self-service data export
Right to Portability Machine-readable JSON export
Right to Erasure Automated deletion workflow
Right to Rectification Self-service profile editing
Consent Management Granular consent tracking

CCPA

Feature Implementation
Right to Know Data inventory and disclosure
Right to Delete Deletion request workflow
Do Not Sell Opt-out flag
Non-Discrimination Equal service guarantee

FERPA

Feature Implementation
Education Records Enhanced access controls
Directory Opt-out Student opt-out capability
Consent Tracking Parental/student consent

Security Headers

Default security headers:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin

Rate Limiting

Endpoint Limit
/auth/login 5 requests/minute
/auth/register 3 requests/minute
/api/* 100 requests/minute
WebSocket 1000 messages/minute

Audit Logging

All security-relevant events are logged:

  • Login attempts (success/failure)
  • Password changes
  • MFA setup/disable
  • Permission changes
  • Data exports
  • Data deletions

Access audit logs:

GET /api/v1/admin/audit-logs?from=2024-01-01&to=2024-01-31

Vulnerability Reporting

Report security vulnerabilities to: security@automatanexus.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

We follow responsible disclosure practices and will respond within 48 hours.