Security Is Not an Add-On.
It's the Foundation.
EmuDee is built with security at every layer -- from encryption and access control to audit logging and compliance. Here's exactly how we protect your data.
Encryption & Authentication
All sensitive data is encrypted at rest and in transit, with industry-standard hashing for passwords and secrets.
| Feature | Implementation |
|---|---|
| Authentication Tokens | JWT with RS256 signing, short-lived access + refresh token rotation |
| Data Encryption at Rest | AES-256-GCM for sensitive fields (bank details, credentials vault) |
| Password Hashing | Bcrypt with cost factor 12; passwords never stored in plaintext |
| Transport Security | TLS 1.3 enforced on all connections; HSTS enabled |
| API Key Security | SHA-256 hashed storage; keys shown once at creation, never again |
Access Control
Fine-grained, role-based permissions ensure every user sees only what they need.
| Feature | Implementation |
|---|---|
| Role Hierarchy | 4 built-in roles: Owner, Admin, Manager, Member; custom roles on Enterprise |
| Granular Permissions | 150+ permissions with wildcard pattern matching (e.g., projects.*) |
| API Key Scoping | API keys scoped to specific permission sets; independent from user roles |
| Rate Limiting | Configurable per-endpoint rate limits; burst protection on auth endpoints |
| IP Allowlists | Optional IP restriction for API keys and admin access |
| Account Lockout | Progressive lockout after failed login attempts; admin unlock or time-based reset |
| Session Management | Idle timeout, concurrent session limits, cross-tab synchronization, forced logout |
Data Isolation & Privacy
Multi-tenant architecture with strict data boundaries. Your data is yours alone.
| Feature | Implementation |
|---|---|
| Multi-Tenant Isolation | Tenant ID enforced on every database query via middleware; no cross-tenant data access |
| Unique User Constraint | Users are unique per tenant (same email can exist in different tenants) |
| Timestamp Storage | All timestamps stored in UTC; displayed in user's local timezone |
| Credential Storage | No raw credentials stored; all secrets encrypted or hashed before persistence |
Audit & Compliance
Comprehensive, tamper-resistant audit logging across all 30+ modules.
| Feature | Implementation |
|---|---|
| Audit Coverage | Every create, update, and delete action logged across all modules |
| Audit Fields | User ID, timestamp, IP address, action type, entity type, before/after snapshots |
| Sensitive Data Exclusion | Passwords, tokens, and encrypted fields automatically redacted from audit logs |
| Audit API | Paginated, filterable API for programmatic audit log access (Professional+) |
| Immutability | Audit records are append-only; no update or delete operations permitted |
Infrastructure
Production-grade infrastructure with automated deployments and monitoring.
| Feature | Implementation |
|---|---|
| Database | PostgreSQL 15 with connection pooling, automated backups, point-in-time recovery |
| Caching | Redis 7 for session storage, rate limiting, and query caching |
| Message Queue | RabbitMQ 3.12 for async event processing (notifications, webhooks, AI tasks) |
| Media Storage | Cloudinary with signed uploads, automatic format optimization, CDN delivery |
| Containerization | Docker containers orchestrated with Kubernetes; auto-scaling based on load |
| CI/CD | GitHub Actions with automated testing, security scanning, and zero-downtime deploys |
Compliance
EmuDee is designed to help your firm meet regulatory and industry standards.
| Feature | Implementation |
|---|---|
| GAAP Compliance | Double-entry accounting, fiscal period management, immutable journal entries |
| GDPR | Data export, right to deletion, consent management, EU data residency options |
| SOC 2 Type II | Security, availability, and confidentiality controls audited annually |
| ISO 27001 | Information security management system (ISMS) aligned with ISO 27001 framework |
Have Security Questions?
Our security team is happy to answer your questions, provide additional documentation, or walk through our security posture in detail.