Security at AuditingLab
Technical security controls protecting clinical research data on the AuditingLab platform.
Security Controls
- Encryption: TLS 1.2+ for all data in transit; AES encryption at rest via Neon Postgres.
- Identity: Powered by Clerk (SOC 2 Type II). Short-lived tokens with automatic rotation.
- RBAC: Role-based access control with tenant boundaries for studies, sites, and documents. Users only access data they are authorized for.
- Immutable activity trail: Append-only audit logs for all oversight resources — who did what, when, and why.
- File storage: Sanitized filenames, tenant-scoped internal storage, path traversal prevention.
- Headers & Rate Limiting: HSTS, Content Security Policy, and rate limiting on all public and intelligence endpoints.
- Secrets Management: Environment variables only; no secrets hard-coded in source or logs.
Security Roadmap
- SOC 2 Type II report (in progress)
- Off-site object storage with versioning
- Bring-your-own-key (BYOK) encryption
- Annual penetration testing
- SSO via SAML/OIDC (Enterprise)
To report a security issue, email security@auditinglab.com.