Security draft

Security

Draft security overview for ReloadTMS. This page describes current internal design boundaries without claiming external audit status, customer-review readiness, or provider clearance.

DRAFT — under review, not yet in effect

This page is draft public copy for Todd/legal review only. It is not legal advice, not an approved policy, not a provider submission, and not authorization to publish or deploy.

Current controls to describe cautiously

  • Authentication uses server-side sessions, hashed passwords, optional TOTP flows, and passkey support where enabled.
  • Organization and tenant boundaries are enforced in backend access contracts and Postgres row-level security where deployed.
  • OAuth and bank-provider tokens are encrypted by the application when those connections are enabled.
  • Document bytes use an application encryption boundary when the required key configuration is present.
  • Structured logs are designed to avoid request bodies, cookies, tokens, PDF bytes, and raw private financial or customer values.
  • Sensitive-route and admin/support audit coverage remains a local control surface that still needs hosted and operational review.

What this page does not claim

  • No SOC 2 report, CASA clearance, Google reviewer clearance, or completed external security review.
  • No promise that every support/admin, export, deletion, restore, billing, or provider path has finished final review.
  • No public vulnerability disclosure, scanner cadence, pen-test, bug bounty, or customer security packet until Todd authorizes that lane.
  • No live-provider list beyond the draft subprocessors page and review packet.

Open items before this can take effect

  • Hosted TLS/header, backup, restore, RLS, recovery, and document-byte restore evidence.
  • Final support/admin access controls, reviewer roles, security contact, incident-response process, and sensitive export logging.
  • Final vulnerability management cadence, dependency scanning, and customer-facing security wording.
  • Todd/legal review of each security statement against implementation evidence.