Legal & compliance

Security Policy

Last updated 3 May 2026

Security Policy

Last updated: 3 May 2026.

Architecture

  • Hosting on Replit autoscale deployments behind a global mTLS-fronted proxy. TLS 1.2+ end-to-end; HSTS enforced in production.
  • Database is Replit-managed PostgreSQL (Neon), encrypted at rest with AES-256, with 30-day point-in-time recovery and daily off-host snapshots.
  • Object storage for licence scans and uploaded report PDFs uses presigned URLs (10-minute expiry); no anonymous direct-bucket access.
  • Multi-tenancy is enforced by organisation on every read and write; row-level checks live in the API layer (Drizzle ORM), with cross-tenant access only available to authenticated staff roles, every action of which is audit-logged.

Application controls

  • Authentication: bcrypt password hashes (cost 12), HTTP-only signed session cookies, per-IP sliding-window rate limit on the login endpoint, per-account lock after repeated failures.
  • Mobile app: Face ID / Touch ID gate optional; biometric template never leaves the device. Push tokens scoped per device.
  • Authorisation: RBAC at the tenant level (admin, training manager, instructor, examiner, pilot, compliance officer, read-only auditor) and at the platform level (staff, staff admin).
  • Input validation: Zod schemas generated from OpenAPI; the same schemas are used by the web client and the API so client and server agree on shape.
  • Error handling: a single hardened error handler returns a stable error shape; internal errors (DB constraint names, file paths) are never echoed to the client.
  • Headers: Helmet (X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy, COOP, CORP, HSTS in prod); the powered-by header is disabled.
  • CORS: allowlist driven by the configured production domains; no-Origin requests (mobile, server-to-server health) are accepted.
  • Rate limit: 600 requests/minute/IP on the API, plus the stricter login-only limiter above.

Operations

  • Audit log: every privileged action — admin mutation, staff console action, impersonation, password reset — is recorded (actor, action, target, IP, user-agent, timestamp). Append-only, retained 2 years.
  • Vulnerability management: weekly automated dependency-vulnerability scans, SAST and secret-scanning on every change. Critical/high findings are remediated within 7 / 30 days respectively.
  • Penetration test: contracted annually with an external CREST-certified provider; executive summary available under NDA on request.
  • Incident response: 24/7 on-call; Personal Data Breach notification to affected customers within 48 hours per Art. 33 GDPR; postmortem published for incidents at SEV-2 and above.
  • Backups & DR: documented runbook with a 4-hour RTO and 1-hour RPO target.
  • Personnel: background checks for production-access staff, signed NDAs, mandatory annual security training, MFA required for all admin tooling.

Reporting a vulnerability

Email security@waypointtms.com. We acknowledge within one business day, triage within three, and target a fix in 30 days for high-severity issues. We don't currently run a paid bug bounty but credit reporters on this page (with consent) once the fix has shipped.

← All legal documents