Security & Compliance
Access Control Policy
Who can access what — enforced by RBAC, MFA, and audit.
- Status
- Active
- Effective
- June 3, 2026
- Owner
- Chief Information Security Officer
RBAC
Roles include inmate, family member, attorney, staff, institutional admin, and founder. Roles are stored in a separate user_roles table and checked via SECURITY DEFINER functions.
MFA
TOTP MFA is required for founder and institutional admin roles and recommended for attorneys.
Session Security
Idle and absolute session timeouts, secure cookies, refresh-token rotation, and device fingerprinting on privileged accounts.
Lockout
Account lockout after repeated failed logins with admin-reset workflow.