Legal & compliance
Security Policy
Last updated 3 May 2026
Security Policy
Last updated: 3 May 2026.
Architecture
- Hosting on Replit autoscale deployments behind a global mTLS-fronted proxy. TLS 1.2+ end-to-end; HSTS enforced in production.
- Database is Replit-managed PostgreSQL (Neon), encrypted at rest with AES-256, with 30-day point-in-time recovery and daily off-host snapshots.
- Object storage for licence scans and uploaded report PDFs uses presigned URLs (10-minute expiry); no anonymous direct-bucket access.
- Multi-tenancy is enforced by organisation on every read and write; row-level checks live in the API layer (Drizzle ORM), with cross-tenant access only available to authenticated staff roles, every action of which is audit-logged.
Application controls
- Authentication: bcrypt password hashes (cost 12), HTTP-only signed session cookies, per-IP sliding-window rate limit on the login endpoint, per-account lock after repeated failures.
- Mobile app: Face ID / Touch ID gate optional; biometric template never leaves the device. Push tokens scoped per device.
- Authorisation: RBAC at the tenant level (admin, training manager, instructor, examiner, pilot, compliance officer, read-only auditor) and at the platform level (staff, staff admin).
- Input validation: Zod schemas generated from OpenAPI; the same schemas are used by the web client and the API so client and server agree on shape.
- Error handling: a single hardened error handler returns a stable error shape; internal errors (DB constraint names, file paths) are never echoed to the client.
- Headers: Helmet (X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy, COOP, CORP, HSTS in prod); the powered-by header is disabled.
- CORS: allowlist driven by the configured production domains; no-Origin requests (mobile, server-to-server health) are accepted.
- Rate limit: 600 requests/minute/IP on the API, plus the stricter login-only limiter above.
Operations
- Audit log: every privileged action — admin mutation, staff console action, impersonation, password reset — is recorded (actor, action, target, IP, user-agent, timestamp). Append-only, retained 2 years.
- Vulnerability management: weekly automated dependency-vulnerability scans, SAST and secret-scanning on every change. Critical/high findings are remediated within 7 / 30 days respectively.
- Penetration test: contracted annually with an external CREST-certified provider; executive summary available under NDA on request.
- Incident response: 24/7 on-call; Personal Data Breach notification to affected customers within 48 hours per Art. 33 GDPR; postmortem published for incidents at SEV-2 and above.
- Backups & DR: documented runbook with a 4-hour RTO and 1-hour RPO target.
- Personnel: background checks for production-access staff, signed NDAs, mandatory annual security training, MFA required for all admin tooling.
Reporting a vulnerability
Email security@waypointtms.com. We acknowledge within one business day, triage within three, and target a fix in 30 days for high-severity issues. We don't currently run a paid bug bounty but credit reporters on this page (with consent) once the fix has shipped.
← All legal documents