Trust framework for the evaluation stage

Project 4.0 is built as a serious operational system with isolated environments, access control logic and structured architecture. This page describes the specific security measures that protect your data.

Suitable for conversations where

  • security and trust matter from the start
  • the system is being evaluated from multiple angles
  • working with operational data requires confidence
  • GDPR compliance is a requirement

Authentication and access control

The platform uses multiple layers for secure identification and access management:

πŸ” Two-factor authentication (2FA)

TOTP authenticator mechanism with recovery codes. An additional layer of protection at login β€” beyond a password, a second confirmation is required.

πŸ”‘ Firebase Auth + OAuth

Email/password and Google OAuth for flexibility in corporate environments. Custom claims for roles: admin, superuser, poweruser, employee.

πŸ›‘οΈ Account Protection

Automatic session timeout after 1 hour of inactivity. Account lockout after multiple failed login attempts.

Tenant environment isolation

Every organization operates in a fully isolated environment (multi-tenant architecture). One tenant's data is never accessible to another:

  • Firestore isolation β€” all data is under path /{tenantId}/data/...
  • Security rules β€” tenant boundaries are verified on every read/write
  • Custom claims β€” tenant, employeeid, admin claims on Firebase Auth token
  • Server-side enforcement β€” Cloud Function writes go through Admin SDK with tenant verification
  • Null tenant bypass prevention β€” enforced non-null check at every level

Data protection

  • HTTPS enforcement β€” entire platform with redirect to HTTPS
  • Anti-forgery tokens β€” protection on all forms
  • Path traversal prevention β€” validation on every file upload
  • File size limits β€” controlled maximum upload size
  • GCP Secret Manager β€” API keys migrated out of code
  • Response compression β€” optimization + security

GDPR compliance and audit trail

Project 4.0 covers GDPR requirements with built-in mechanisms:

  • Personal Data Download β€” every user can download their personal data
  • Delete Personal Data β€” right to deletion upon request
  • Correlation IDs β€” every action can be traced with a unique identifier (mob_/cf_/net_ prefix UUID)
  • Audit trail β€” full change history with timestamp and user ID
  • Firestore permissive rules β€” closed (allow write: if false) β€” all writes go only through Cloud Functions

When needed, we provide detailed technical documentation for security review with enterprise clients.

Security in numbers

Two-factor authenticationβœ… TOTP
Tenant isolationβœ… full
GDPR complianceβœ…
HTTPSβœ… enforced
Secret managementGCP Secret Manager
Session timeout1 hour
Correlation IDscross-layer tracing

If you need more information about security and trust, let's discuss it in the right context.

We'll prepare the appropriate next conversation based on your evaluation stage and the information you need. For enterprise processes, we provide full documentation for security review.

Contact us