Security isn't a checkbox — it's built into every layer of CommandOS. Here's a transparent look at the specific controls we implement to keep your business data safe.
These are the specific, implemented security measures protecting your data today — not aspirational goals, but active controls in production.
All data transmitted between your browser and our servers is encrypted using TLS 1.3. Data stored in our databases is encrypted at rest using AES-256 encryption, ensuring your sensitive business information is protected whether it's moving or stationary.
We support time-based one-time password (TOTP) two-factor authentication for all user accounts. MFA adds a critical second layer of verification beyond passwords, significantly reducing the risk of unauthorized account access.
Every database table is protected by row-level security policies enforced at the database engine level — not just in application code. This means tenant isolation is guaranteed even if application logic is bypassed. Your data is structurally separated from every other organization's data.
Granular permission systems control what each user can see and do within your organization. Roles include owner, admin, member, and viewer — each with precisely scoped access. Administrators can instantly revoke access when team members leave.
Every query, every record, every operation is scoped to your organization's tenant. Database-level security policies ensure that even in shared infrastructure, no organization can access another's data. This isolation is enforced by the database itself, not by application logic alone.
All access and modifications to sensitive data are tracked in immutable audit logs. Authentication events — including sign-ins, failed login attempts, and password resets — are logged with IP addresses and geolocation data for forensic analysis and compliance.
User sessions are managed with secure, signed tokens that expire automatically. Sessions are proactively refreshed during long-running operations to prevent interruption while maintaining security. Tokens are never stored in local storage in plain text.
All user inputs are validated and sanitized on both client and server. We use parameterized queries exclusively — no raw SQL is ever executed from user input. Content rendering is sanitized using DOMPurify to prevent cross-site scripting (XSS) attacks.
All API endpoints require authentication via signed JSON Web Tokens (JWT). Backend functions validate authorization on every request. Sensitive operations use service-role keys server-side, ensuring elevated privileges never reach the client.
Uploaded files are stored in isolated, access-controlled storage buckets. Files are served via signed URLs with expiration times, preventing unauthorized direct access. Storage policies enforce that users can only access files belonging to their organization.
All new accounts require email verification before gaining access to the platform. This prevents unauthorized account creation and ensures every user in your organization is who they claim to be.
Administrative dashboards provide real-time visibility into authentication activity across your organization — including sign-in patterns, failed login attempts, IP addresses, and geographic locations — enabling rapid detection of suspicious access.
Our security program is aligned to the NIST Cybersecurity Framework (CSF), a widely recognized standard for managing cybersecurity risk. We organize our controls across the five core NIST functions.
We maintain an inventory of data assets, classify sensitive information, and conduct risk assessments to understand our threat landscape.
Access controls, encryption, secure development practices, and staff training form our protective measures against threats.
Continuous monitoring, audit logging, and anomaly detection help us identify potential security events in real time.
Documented incident response procedures ensure we can quickly contain, analyze, and communicate about security events.
Backup and disaster recovery capabilities, combined with post-incident reviews, ensure continuity and continuous improvement.
We integrate security at every phase of our software development lifecycle, ensuring vulnerabilities are identified and addressed before they reach production.
We align our practices with leading data privacy regulations to ensure your data is handled responsibly and in accordance with the rights afforded to individuals under applicable law.
Aligned
Aligned
Aligned
Aligned
We value the security community and welcome responsible disclosure of potential vulnerabilities. If you discover a security issue, please report it to us privately.
Email: security@incommand.ai