Security overview¶
AccuPredix is designed for multi-tenant B2B SaaS with optional enterprise controls on Agency tier.
Authentication¶
| Method | Use |
|---|---|
| Email + password | Default registration |
| Google / Microsoft OAuth | Optional SSO-lite |
| SAML / OIDC SSO | Agency tier (org settings) |
| API keys | Public REST API (Growth+) |
| JWT | Web session (httpOnly / bearer) |
Passwords are hashed; JWTs expire per ACCESS_TOKEN_LIFETIME (configurable in Admin settings).
Authorization¶
- Org RBAC — owner, admin, analyst, viewer
- Workspace scope — API keys may be limited to one workspace
- Platform admin — separate
is_superuserflag for/adminconsole - Impersonation — read-only operator view; audited
Tenant isolation¶
| Layer | Mechanism |
|---|---|
| Application | Org membership checks on every BFF route |
| Forecast data | Dedicated Postgres database per tenant (accupredix_t_<slug>) |
| Connectors | Credentials encrypted with AES-256-GCM when key configured |
| PII fields | Optional field-level encryption in service (Growth+, SEC-004) |
Cross-tenant access is rejected at the API layer. Researchers and operators must not access other tenants' data without explicit impersonation (audited).
Data regions & retention¶
- Data region selected at org creation (EU default)
- Retention policies (Growth+) — configurable upload purge windows
- GDPR — export and erasure flows under Settings → Privacy
Network controls¶
- CORS — restricted to known frontend origins
- IP allowlist (Growth+) — per-workspace API access control
- Internal endpoints —
/internal/*require shared secret; return 404 when unset
Connector & webhook security¶
- Shopify webhooks validated with HMAC-SHA256
- OAuth state parameter on connector authorization flows
- Secret config fields redacted in API responses
Audit & compliance¶
- Org audit log (admin+) — member changes, settings, billing events
- Platform audit log — operator actions across all orgs
- Compliance sheet in admin console for DPA/subprocessor tracking
Vulnerability disclosure¶
Report security issues responsibly — see Vulnerability disclosure.
Machine-readable policy: /.well-known/security.txt on the app domain.
Customer responsibilities¶
- Rotate API keys periodically
- Use strong passwords and enable SSO on Agency
- Configure IP allowlists for sensitive workspaces
- Review connector permissions in third-party apps (Shopify, Intuit, Xero)