Security draft
Security
Draft security overview for ReloadTMS. This page describes current internal design boundaries without claiming external audit status, customer-review readiness, or provider clearance.
DRAFT — under review, not yet in effect
This page is draft public copy for Todd/legal review only. It is not legal advice, not an approved policy, not a provider submission, and not authorization to publish or deploy.
Current controls to describe cautiously
- Authentication uses server-side sessions, hashed passwords, optional TOTP flows, and passkey support where enabled.
- Organization and tenant boundaries are enforced in backend access contracts and Postgres row-level security where deployed.
- OAuth and bank-provider tokens are encrypted by the application when those connections are enabled.
- Document bytes use an application encryption boundary when the required key configuration is present.
- Structured logs are designed to avoid request bodies, cookies, tokens, PDF bytes, and raw private financial or customer values.
- Sensitive-route and admin/support audit coverage remains a local control surface that still needs hosted and operational review.
What this page does not claim
- No SOC 2 report, CASA clearance, Google reviewer clearance, or completed external security review.
- No promise that every support/admin, export, deletion, restore, billing, or provider path has finished final review.
- No public vulnerability disclosure, scanner cadence, pen-test, bug bounty, or customer security packet until Todd authorizes that lane.
- No live-provider list beyond the draft subprocessors page and review packet.
Open items before this can take effect
- Hosted TLS/header, backup, restore, RLS, recovery, and document-byte restore evidence.
- Final support/admin access controls, reviewer roles, security contact, incident-response process, and sensitive export logging.
- Final vulnerability management cadence, dependency scanning, and customer-facing security wording.
- Todd/legal review of each security statement against implementation evidence.