Security posture, by control.

Every connection from browser to platform uses TLS 1.3 with HSTS preloading enabled. Older protocols (TLS 1.0, 1.1, 1.2) are disabled at the edge.

Postgres data is encrypted at rest by Neon (AES-256). Vercel Blob storage is encrypted at rest by Vercel. Backups are encrypted with the same key tier.

Content Security Policy with strict-dynamic is computed per request. Currently in report-only mode while we verify clean telemetry; flipping to enforce mode is a one-env-var change once the 24-48h observation window is clean.

Contractor, Service Provider, Lobbyist, and Admin user classes are isolated at the data and route layers. A contractor cannot read a provider’s leads; an admin’s elevated mutations require a fresh authentication. Implementation: NextAuth JWT with role-bound session callbacks.

No plaintext, no reversible hashes, no recoverable secrets. Password reset emails contain a single-use, time-bound token; the password itself is never sent.

TOTP MFA + bcrypt-hashed backup codes are shipped on admin / provider / lobbyist login paths. Currently disabled via the MFA_ENABLED env flag (operator decision). Flipping to true restores enforcement for every previously-enrolled user — no re-enrollment required.

Every state-changing /api/* request runs an Origin/Referer same-origin check before the route handler. Webhook endpoints (Stripe, intel ingest) and NextAuth callbacks are exempted with their own non-cookie auth.

AuditLog rows captured on admin login, role changes, application approve/reject, provider/lobbyist suspension, Stripe Connect onboarding completion. 365-day retention; super_admin queryable.

Error rate, latency, and unhandled-promise alerts are routed to the operator inbox. PII is scrubbed at the SDK boundary; no user emails or message bodies enter Sentry.