Security

Brivio is designed for evidence-grade compliance. Three pillars:

1. Authentication

• Email + password with bcrypt hashing (cost factor 12)
• Google OAuth (Auth.js v5)
• WebAuthn passkeys — register from Settings → Security; the device generates a key pair and shares only the public key with us

Sessions use JWT cookies (httpOnly, Secure, SameSite=Lax). No refresh tokens — re-authenticate after expiry.

2. Authorization

Role-based: OWNER, ADMIN, EDITOR, VIEWER. Sensitive actions (regime switch, journal posting, billing changes) check the membership role server-side; the UI is decorative.

3. Audit hash chain

Every business mutation appends a row to audit_logs via appendAuditLog. Each row's hash field is SHA-256(prevHash || canonicalJson(payload)), giving a per-organization tamper-evident chain.

Verify the chain anytime from Admin → Audit log — the badge at the top reads either:

• Chain verified · N entries (green shield)
• Chain broken at seq #X (red shield) — indicates a row was edited or deleted

A daily Merkle anchor over the chain head is reserved for a future phase (TSA-stamped).

Reporting a vulnerability

Email security@brivio.ro with a PoC. We respond within 48h.