Security

Built secure
from day one

Multi-tenant SaaS handling logistics business data deserves real security thinking — not just an SSL badge and a privacy policy.

Below: how CyVeR's security is structured, with real numbers from the systematic audits we've done.

0

Query sites audited

Every database read and write reviewed for tenant isolation.

0

XSS sites hardened

HTML output to PDFs and emails escaped at every interpolation point.

0

Audit log coverage

Every privileged operation writes an immutable audit row.

PIPEDA

Data residency

Canadian-hosted infrastructure with PIPEDA-aware design.

Tenancy Auth & RBAC Audit log Input & XSS Secrets Hosting Privacy Disclosure

01 · Multi-tenancy

Tenant isolation

Every database query, every API endpoint, every email is scoped to the tenant making the request. Customer A's data is never visible to Customer B's users.

Enforced at the query layer with tenant ID on every read and write. Multi-tenant isolation has been systematically audited across all 448 database query sites in the codebase.

  • Per-query enforcementfindFirst({ where: { id, tenantId } }) instead of unscoped findUnique
  • 705+ tenantId references across services and controllers — defense in depth
  • Resource-isolation tests — automated tests assert cross-tenant access returns 404
  • Per-tenant feature flags — features can be turned on per customer without code changes

Pattern

trip.controller.js

const trip = await prisma.trip.findFirst({
  where: {
    id: req.params.id,
    tenantId: tid(req)  // ← always scoped
  },
  include: { driver: true, truck: true }
})

if (!trip) return res.status(404).json(...)
// Cross-tenant access returns 404, not 403
// — does not confirm trip exists in another tenant.

02 · Auth & access control

Authentication & RBAC

Passwords are hashed with bcrypt. JWT tokens have a token-version field so password changes instantly invalidate every existing session. Role-based access control on every endpoint, with six distinct roles.

  • bcrypt password hashing with cost factor 12
  • Login rate-limited per IP — brute-force protection
  • Constant-time comparison against decoy hashes prevents user-enumeration timing attacks
  • JWT tokenVersion — incrementing the user's tokenVersion invalidates every existing JWT instantly
  • QuickBooks OAuth state uses crypto.randomBytes(32), server-stored, single-use, 15-minute expiry
  • Driver app JWT — 72-hour expiry (down from 7 days for tighter rotation)

Six-role RBAC

Per-endpoint enforcement

SA

Superadmin

Cross-tenant access · platform admin

A

Admin

Full tenant access · settings + users

D

Dispatcher

Orders, trips, dispatch, invoices

DM

Driver Manager

Drivers, trucks, trailers

AC

Accountant

Invoices, AR, customers

V

Viewer

Read-only · minimal scope

03 · Audit log

Immutable audit trail

Every privileged action writes to the AuditLog table. User creation and updates, settings changes, integration connections, password events, manual email sends, trip cancellations.

Audit metadata is whitelisted to prevent accidental capture of sensitive fields like password hashes. Full traceability for compliance and dispute resolution.

  • Tenant-scoped — admins see their tenant's audit; superadmins can see across
  • Whitelisted metadata — only specific fields per action type are captured; passwords never appear
  • Performed-by tracking — every entry includes user ID and human-readable name at the time of action
  • UI access — admins read the audit log directly from the Compliance section

Audit Log

Last 24 hours

42 events
admin@maplefoods·Updated user role

rohit.s → Dispatcher

14:32
rohit.s·Sent invoice

#INV-2104 → Maple Foods

13:18
system·QuickBooks sync

12 invoices · ok

12:00
admin@maplefoods·Connected QB OAuth

Production realm 482910

09:45
rohit.s·Cancelled trip

#TR-1839 · weather

08:22
Immutable · tenant-scoped · whitelisted metadata

04 · Input integrity

Input validation & XSS protection

All user input flows through Joi schema validation before reaching the database. HTML output to PDFs and emails is escaped at every interpolation site.

Joi schema validation

Every API endpoint validates request body, query, and params via Joi schemas. Type checks, length limits, format enforcement.

110+ XSS sites hardened

Every HTML interpolation in PDFs and emails escapes user content. Notes get safe linkification — no raw HTML, no inline scripts.

Mime-type whitelist

File uploads restricted to PDFs and common image formats only. No executables, no script smuggling. Size limits enforced.

Helmet headers

HSTS in production (1-year max-age, includeSubDomains), X-Content-Type-Options, X-Frame-Options, referrer policy.

CORS allowlist

Production CORS restricted to known frontend origins. Empty allowlist defaults to localhost only — never wildcard.

Rate limiting

IP-based rate limits on login (5/min), tenant registration (5/hour), and lookup endpoints (10/min).

05 · Secrets management

Secrets & deployment

Boot-time validation rejects weak or missing secrets. The app refuses to start with default-or-blank values like secret or changeme.

Boot-time secret validation

JWT_SECRET, DATABASE_URL, and other critical envs validated on boot. Weak default values rejected — the process exits before serving any request.

Documented dependency risks

SECURITY.md at repo root documents accepted transitive dependency risks (e.g. firebase-admin chain). Audit trail for every dependency decision.

CI on every push

4 jobs: backend tests, backend lint, frontend tests, frontend lint. Failures notify by email; security regressions caught before deployment.

Linear git history

No force pushes. No deletes. Branch protection on main. Every change has a commit signature, an author, and a CI run.

06 · Hosting & data residency

Canadian-hosted

Customer data stays in Canada. PIPEDA-aware design throughout. Hosting infrastructure evaluated against PIPEDA expectations — Canadian providers preferred, no US-only options.

Daily encrypted backups. Encrypted connections (TLS 1.2+) end-to-end. Database connections require SSL. We don't ship analytics or telemetry to third-party SaaS without your consent.

🇨🇦 Canadian-hosted TLS 1.2+ enforced Daily encrypted backups PIPEDA-aware design

07 · Privacy

Data minimization

We collect only what we need to operate. Public tracking endpoints expose city/region — not exact GPS coordinates, not driver names, not financials, not customer email.

Driver location

Real GPS visible to dispatchers only. Public tracking shows city/region.

Financials

Rate, cost, margin filtered from driver-app responses. Never leak through public tracking.

Customer info

Customer email, internal notes hidden from public tracking. Tokenized URLs only.

Read the full Privacy Policy →

08 · Responsible disclosure

Found something?

If you've found a security issue in CyVeR, please report it privately. We'll respond within one business day, work with you on a fix, and credit you publicly if you want.

[email protected]

Please don't open public GitHub issues or post details on social media before we've had a chance to respond.

Want to audit it yourself?

Enterprise customers can get a security walk-through with our team. Bring your security team — we'll answer everything.

Schedule a security review → [email protected]