Authentication
Auth.js-based sessions, password reset flows, lockout protections and owner MFA support for sensitive owner access.
Security
Controls for internal operations data.
This page summarizes the expected security posture for evaluation. Final commitments belong in the signed contract, DPA and security annex.
Workspace isolation
Users, roles, documents and operational records are scoped by workspace so one account can belong to several spaces without mixing data.
Storage
PostgreSQL stores structured records. MinIO or compatible object storage stores files. TLS protects data in transit. Encryption at rest depends on the selected hosting layer.
Hosting
The target deployment uses VPS, Docker and Traefik. Region is confirmed during procurement, with EU hosting recommended for GDPR customers.
Backups
Target policy: daily encrypted database and file backups, tested restore procedure, defined retention and monitored backup jobs before production opening.
Audit logs
Administrative and sensitive actions should be logged for review, troubleshooting and security investigations.
Password and sessions
Password reset, session expiry and owner verification rules are designed to reduce account risk. Customer SSO can be reviewed for larger plans.
Incident handling
Security issues can be sent to security@linkfield.app. Material customer incidents should be communicated through agreed channels and status updates.
Compliance roadmap
GDPR is the immediate target. SOC 2 or ISO 27001 can be considered once commercial usage and operational controls justify the program.
Subprocessors
| Provider | Purpose | Status |
|---|---|---|
| Hosting provider | Application, database and file infrastructure | To confirm per customer region |
| Stripe | Payment processing for self-service plans | Used when Payment Links are active |
| Email provider | Transactional email, invitations and resets | To confirm before launch |
| Analytics provider | Privacy-friendly site analytics | Optional, only if enabled in cookie policy |
Responsible disclosure
Send security findings to security@linkfield.app. Include affected URL, reproduction steps, impact and contact details. Do not access, modify or delete customer data while testing.