Security overview

Encryption

TLS 1.2+ in transit (HSTS preload). AES-256 at rest for the database and object storage.

Authentication & access

• Email + password with HIBP leaked-password check.
• TOTP MFA mandatory for admin, finance, and HR roles.
• Rate limiting: 5 failed attempts / 15 min triggers lockout.
• Server-side session revocation available to platform administrators.

Authorization

Postgres Row-Level Security on every user-data table. Capability-based checks scoped to firm and role.

Auditability

Every privileged action and data mutation lands in an append-only audit log retained for 7 years. Sensitive actions (role grants, payment ops, MFA changes) are double-logged.

Compliance posture

SOC 2 Type 2 readiness in progress. HIPAA-defensive controls applied; we do not currently store PHI and require a BAA before any healthcare-regulated data is onboarded.

Vulnerability reporting

Email security@busacta.com. Acknowledged within 1 business day; HIGH/CRITICAL fixed within 7 days.