Every control listed below is implemented in the DefDossier codebase or runtime configuration. Controls still in progress or planned are disclosed honestly — no implied certifications, ever.
All passwords are stored as bcrypt hashes (cost factor 12) with per-record salts. No plaintext or reversible encoding is ever persisted.
Per IP+email login attempts are tracked. After 5 failures within 15 minutes the account is locked until the cooldown elapses.
Access and refresh tokens are issued as httpOnly cookies with Secure and SameSite=None attributes. Cookie bodies never traverse JavaScript.
Every state-changing request requires a header (X-CSRF-Token) matching a per-session cookie. Five public bootstrap endpoints are exempt by design.
User token_version increments on password reset. All previously-issued JWTs are invalidated server-side because the validator compares ver to user.token_version.
Reset tokens are single-use, expire in 15 minutes, and rate-limit at 3 requests per email per hour. Tokens are also invalidated by any subsequent reset request.
Every user-generated document (enrollments, certifications, lesson_progress, practical_attempts, audit_log, chat_messages) is stamped with org_id on write. Cross-org queries are blocked at the route layer (squad, suggest, plan, MITRE coverage, compliance pack).
Every Open Badge certificate carries a signed JWT (HMAC-SHA256) that any third party can verify at the public /verify/{badge_id} endpoint. Tampered or revoked badges return INVALID.
All HTTP traffic to defdossier.com is terminated at Cloudflare with TLS 1.3 and HSTS. The Emergent edge does not accept plaintext HTTP for the production hostname.
Production database is MongoDB hosted by the Emergent platform. Volume-level encryption at rest is dependent on the underlying managed-Mongo offering; awaiting written attestation from Emergent infrastructure.
Password reset requests and completions, along with compliance pack email sends, are appended to db.audit_log with user_id, IP, and timestamp. Records are append-only from the application.
Every compliance pack email send records the sender, recipient, subject user, and Resend message id — enabling later proof of delivery to procurement officers.
defdossier.com publishes SPF (include:amazonses.com), DKIM (Resend resend._domainkey), and DMARC (p=none, monitoring) records. Verified by Resend domain authentication.
Customer data is processed only by the subprocessors listed in the Trust Center. Any addition triggers a public update.
Targeted 2027. Pre-audit controls implementation underway; engagement with an independent CPA partner expected once first paid customers are onboard.
Under evaluation. ISO 27001 will be pursued if customer demand and revenue justify the audit cost.
Targeted Q3 2026 once seat count exceeds 50. Will engage a CREST/OSCP-credentialed firm.
Daily managed-Mongo snapshots via Emergent platform. RTO/RPO targets being formalised.
The only third parties that touch customer data. Any change to this list is reflected here within 30 days.
| Vendor | Purpose | Data category | Region |
|---|---|---|---|
| Cloudflare | DNS, TLS termination, edge CDN | Encrypted traffic only | Global edge |
| Emergent | Application hosting, managed MongoDB | All application data | Multi-region |
| Resend | Transactional email delivery | Recipient email, message body | Tokyo (ap-northeast-1) |
| Amazon SES (via Resend) | SMTP relay | Email envelope + body | AP Northeast 1 |
| Anthropic | Sentinel AI assistant | Prompt + chat context for an active session | United States |
This is not a formal audit report. DefDossier does not currently hold SOC 2 or ISO 27001 attestation — both are explicitly listed under Formal Audit as planned. If you require third-party attestation today, ask us before contracting. We will route your requirement to our auditor partner timeline, or — if it's blocking — propose an alternative path.
Questions? Email joel@defdossier.com.