Built to keep your data safe
Security is not an afterthought at Aideworks. Here is how we protect your account, your client data and the monitoring pipeline.
EU-only infrastructure
All data is processed and stored on servers within the European Union. No data is transferred to the United States or other third countries. This satisfies GDPR data residency requirements without configuration or workarounds.
Account security
Mandatory MFA for all accounts
Every password-based account is required to enrol a TOTP authenticator app (Google Authenticator, Authy, 1Password, etc.) before accessing the dashboard. This is enforced at the API gateway—not just the UI—so it cannot be bypassed.
HttpOnly Secure cookies
Your session token is stored in an httpOnly, Secure, SameSite cookie—never in localStorage or JavaScript-accessible storage. Scripts cannot read or steal it.
Refresh token rotation with theft detection
Every session refresh issues a new token and invalidates the old one. If a stolen token is replayed, the entire session family is immediately revoked—protecting you even if a device is compromised.
RS256 asymmetric JWT signing
Tokens are signed with a private key and verified with a separate public key. There is no shared secret that could be leaked across services.
Phone-anchored account recovery
Password resets and authenticator resets require confirmation of your registered phone number’s last four digits. No SMS is sent—your phone number is a recovery anchor, not a second authentication factor.
Rate limiting and brute-force protection
Login, registration and password reset endpoints are rate-limited per IP. Five consecutive wrong MFA codes trigger a 15-minute lockout. We log all auth events with IP and user-agent.
Data protection
Encrypted credential storage
All passwords are hashed with bcrypt (cost factor 12). TOTP authenticator secrets are encrypted with AES-256-GCM before storage. Only the hash of each backup code is ever stored.
Parameterised queries only
Every database query uses parameterised values. There is no string concatenation in SQL—SQL injection is structurally prevented, not just guarded against.
Automatic IP anonymisation
IP addresses in the audit log are anonymised after 90 days. DNS and SSL snapshots are deleted after 24 months. We collect what we need and discard what we don’t.
Responsible disclosure
If you discover a security vulnerability in Aideworks, please report it responsibly to security@aideworks.com. We will acknowledge your report within 48 hours and keep you updated on remediation progress. We do not pursue legal action against researchers acting in good faith.