Security

Controls built into the vault, not bolted on as marketing.

This page summarizes security behaviors implemented in the current L3Ads application. It is not a certification claim or a blanket compliance guarantee.

Implemented controls

Security as shipped.

Each item below maps to behavior present in the repository and running application.

Separate authenticated sessions

Administrators and purchasers use distinct HTTP-only JWT cookies. Portal and dashboard routes are protected independently.

Password hashing

Account passwords are stored using bcrypt hashing rather than plaintext credentials.

Ownership and unlock checks

Package downloads verify purchaser ownership and unlocked status before returning CSV or attachment ZIP content.

Rate-limited sensitive actions

Login attempts and package downloads are throttled with sliding-window rate limits to reduce brute-force and abuse pressure.

Encrypted sensitive consolidator fields

Social Security numbers and dates of birth ingested through the consolidator pipeline are encrypted at rest with AES-256-GCM. This scope does not claim encryption for every field or every import path.

Private object storage

Consolidator uploads and attachment blobs live in private R2 or S3-compatible storage. Attachment previews use short-lived signed URLs.

Next step

Need more detail?

Security questions about the vault can be included in your contact message.