Security Practices

We treat workforce-tracking data the same way we'd treat our own payroll — minimal, isolated, and audited. This page documents what we do, in concrete terms.

1. Network & transport

• All traffic is served over TLS 1.2+ (HSTS enabled in production).
• Let's Encrypt certificates auto-renewed via certbot.
• Webhooks (Razorpay, etc.) verified with HMAC-SHA256 signature checks before any side effect.

2. Tenant isolation

• Each Customer ("tenant") has a dedicated SQLite database file under database/tenant/<id>.sqlite.
• The admin panel resolves the active tenant from the request subdomain via stancl/tenancy middleware.
• Cross-tenant data access is structurally impossible — tenant queries can only see their own DB connection.
• The central database stores only platform-level data (tenants, users, plans, subscriptions, agent releases).

3. Authentication & access control

• Passwords hashed with bcrypt (cost 12).
• Optional OTP step-up at login via WhatsApp or email (configurable per user).
• hCaptcha on signup, login, and password-reset forms.
• Login rate limiting: 10 attempts/minute per email + IP. Failed attempts logged.
• GeoIP-based suspicious-login alerts (sent to the user via WhatsApp when enabled).
• Filament panel gating: tenant resources are inaccessible from the central panel and vice versa.
• Sanctum tokens scoped per tenant (agent tokens cannot move laterally).

4. Audit logging

• Every mutation (create / update / delete) on Employee, TrackerSetting, AppCategory records is logged.
• Diff-level detail: {field: [before, after]} for updates.
• Records the actor's user ID, email, IP, and user-agent.
• Tenant admins can view the full audit log under Settings → Audit Log.
• Audit writes never block the underlying mutation — failures are logged separately.

5. Screenshot privacy

• Each employee can opt to blur screenshots from sensitive apps (banking, password managers, personal email).
• Server-side guard: even if the agent doesn't blur, admin-side display applies a CSS blur for any flagged screenshot.
• Excluded-apps list lets employees suppress capture for specific apps entirely.
• Employees see exactly what's tracked and can download a JSON archive of all their data via the Privacy Center.

6. Backup & recovery

• Tenant DBs and screenshot storage backed up nightly (encrypted at rest).
• Restore tested quarterly against a sample tenant.
• Customer-managed off-site backup (S3 / SFTP) available on Business+ plans.

7. Vendor management

• Sub-processors listed in the DPA.
• 30-day notice before adding or replacing any sub-processor.
• External AI calls (Anthropic) are gated behind a per-tenant ANTHROPIC_API_KEY setting — disabled by default.

8. Code & deploy hygiene

• All changes go through PR review before reaching production.
• Production deploys are config-cached; APP_DEBUG=false in prod (no stack traces leak).
• Migrations run via tenants:migrate in transactions — partial schema state never persists.

9. Incident response

• 72-hour breach-notification commitment per the DPA (Art. 33 GDPR).
• Incident contact: security@lightlink.uludeveloper.top
• Responsible disclosure welcomed — we do not pursue good-faith researchers.

10. What we're working on next

Documented in our public repository as a roadmap. Highlights: AES-256 screenshot encryption at rest (in progress), real-time live-screen via WebSocket, ISO 27001 audit prep, optional self-hosted deployment for Enterprise.