01
Administrative isolation
MFA · role schemas · auditEvery privileged route requires multi-factor authentication. Stale identities are programmatically demoted and offboarded.
The proxy gates /admin, /consultant, /agency, and /assessor. Any privileged user without enrolled MFA is force-redirected to enrollment before reaching the surface. Offboarded users are sentinel-rewritten and indefinitely auth-banned, with role flags cleared. Bulk audits catch drift.
02
Data minimization perimeter
Boundary discipline · evidence metadataThe portal stores documentation about regulated data — never the regulated data itself. Evidence metadata is cryptographically anchored; raw data stays in the customer’s perimeter.
No PHI, CUI, or cardholder data lives in the portal. Customers upload evidence of controls — policies, screenshots, config exports, log excerpts. Each upload is SHA-256 hashed server-side at ingest, and that hash becomes the immutable source of truth. RLS scopes documents per customer, and the boundary holds even under direct PostgREST queries.
SSRF allowlist · per-vendor enforcement Connectors (Okta, Entra ID, Google Workspace, GitHub, AWS CloudTrail, Vanta) enforce a strict per-vendor destination allowlist. Customer URLs are validated against known production hosts before any outbound request.
SSRF is the highest-leverage attack against any platform with customer-configured integrations. The connector layer rejects any URL that isn’t HTTPS on the vendor’s known host pattern — Okta must end in .okta.com, Vanta on the vanta.com namespace, and so on. Full-URL connectors run through the allowlist library before fetch().
CI gating · append-only chain Security-sensitive code paths are enforced by a CI gating framework before any code reaches production. The audit chain is append-only at the trigger layer and verified continuously.
Every pull request passes a service-role auth-check gate that fails if new code introduces a server-side admin client without a recognized auth step in the same file. The audit_events table is hash-chained — each row references the prior row’s hash; updates and deletes are blocked at the trigger layer. The chain tail is RFC 3161 timestamped via SSL.com’s TSA, and recipients verify it independently with no cooperation from us.
05
U.S. Person access for CMMC L2
Database-enforced · attestation gateConsultants on a CMMC Level 2 engagement must complete a U.S. Person attestation before any assignment is permitted. Enforced at the database trigger layer, not the application layer.
CMMC L2 engagements routinely touch CUI with ITAR or export-controlled adjacency. The practitioner-gates trigger blocks an INSERT into consultant_assignments until a verified U.S. Person attestation exists for the consultant. No administrative override is exposed. ITAR-flagged scope (22 CFR §120.33) keeps the regulated data inside the customer’s domestic perimeter; the portal carries only the documentation attesting to the controls.