Security
Built to withstand examination.
Compliance software holds some of a practice's most sensitive records. Our standard is that every security claim we make maps to a test, a database invariant or a recorded browser proof in our engineering evidence base — not to marketing copy.
Enforced practice isolation
Every practice's records are separated with database-enforced row-level security — isolation is applied by the database itself, not just application code, and is verified continuously.
Mandatory multi-factor authentication
Every user enrols authenticator-app MFA. Sensitive areas, including restricted reporting, require recent step-up verification. Sessions expire on inactivity and are individually revocable.
Tamper-evident audit trail
Every material action is recorded in a hash-chained audit log, so the history of a client file can be verified rather than asserted.
Restricted suspicious-matter workspaces
Suspicious-matter records are isolated from staff without an explicit grant — they do not appear in searches, work queues or audit views for unauthorised users.
Retention aligned to obligations
Evidence records carry seven-year retention aligned to AML/CTF record-keeping obligations, with deletion denied at the database privilege level.
Honest integration states
Every external integration is labelled live, sandbox or not connected. A simulated check can never satisfy a real compliance requirement — the database enforces it.
Infrastructure
The service runs on managed cloud infrastructure (Vercel and Neon) with encryption in transit and at rest. All application mutations pass through authenticated, same-origin-checked, schema-validated routes. Internal service endpoints fail closed when credentials are absent.
Responsible disclosure
If you believe you have found a security vulnerability, email security@cassandraaml.com. Please include enough detail to reproduce the issue and allow us reasonable time to remediate before public disclosure. We do not take legal action against good-faith research conducted within these guidelines.