Separate authenticated sessions
Administrators and purchasers use distinct HTTP-only JWT cookies. Portal and dashboard routes are protected independently.
This page summarizes security behaviors implemented in the current L3Ads application. It is not a certification claim or a blanket compliance guarantee.
Each item below maps to behavior present in the repository and running application.
Administrators and purchasers use distinct HTTP-only JWT cookies. Portal and dashboard routes are protected independently.
Account passwords are stored using bcrypt hashing rather than plaintext credentials.
Package downloads verify purchaser ownership and unlocked status before returning CSV or attachment ZIP content.
Login attempts and package downloads are throttled with sliding-window rate limits to reduce brute-force and abuse pressure.
Social Security numbers and dates of birth ingested through the consolidator pipeline are encrypted at rest with AES-256-GCM. This scope does not claim encryption for every field or every import path.
Consolidator uploads and attachment blobs live in private R2 or S3-compatible storage. Attachment previews use short-lived signed URLs.
Security questions about the vault can be included in your contact message.