Platform Security

Decision Governance™ is built with security at every layer. Detailed documentation is available in the document library.

Infrastructure

Hosted on Digital Ocean (NYC region, US). Digital Ocean maintains SOC II Type II and ISO 27001 certifications. All client data resides in the United States.

Encryption

All data encrypted in transit (TLS 1.2+) and at rest (AES-256). HSTS enforced. Application-layer encryption for sensitive fields.

Authentication

All access to Decision Governance™ requires an authenticated session. Login issues an RS256-signed JSON Web Token (JWT) delivered as an HTTP-only cookie; tokens are short-lived (8-hour expiry) and individually revocable via a Valkey-backed revocation list, so a compromised credential can be invalidated immediately without waiting for the natural expiry. Every authenticated request re-verifies the JWT signature against the platform’s public key.

Tenant Isolation

Shared-database, row-level tenant isolation with mandatory ORM-level query scoping. JWT claims enforce tenant boundaries at the application layer — a token issued for one institution cannot be used to access another tenant’s data. Validated by automated tests on every deployment.

Application Security

Peer-reviewed code, CI/CD security scanning, OWASP Top 10 protections, immutable deployments.

Access Control

Least privilege with MFA on all production access. Quarterly access reviews. No routine personnel access to client data.

Register for detailed documentation