Security & Trust

Every Unnoodle account (tenant) operates in its own dedicated PostgreSQL schema. Your glossary, users, and settings are stored in a separate, named partition of the database — not just filtered by a column value.

There is no query that can accidentally return another organisation's data. Even if an application bug produced an incorrect filter, the schema boundary holds. Cross-tenant access is structurally impossible.

In transit

All traffic between your browser and Unnoodle travels over HTTPS. HTTP Strict Transport Security (HSTS) is set with a one-year policy and applies to all subdomains. Browsers that have connected once will reject plain HTTP for the lifetime of the policy.

At rest

• MFA / TOTP secrets are encrypted at the application layer (AES-256-GCM) before being written to the database. The raw secret is never stored in plaintext. A unique random value (IV) is generated per write, so identical secrets produce different stored values.
• API keys are stored as SHA-256 cryptographic hashes. The raw key cannot be retrieved after issuance — only rotated.
• Passwords are stored as BCrypt hashes (10 rounds). Plaintext passwords are never stored or logged.
• Refresh tokens are stored as SHA-256 digests. The raw token value is never persisted.

Short-lived sessions with replay protection

Access tokens expire after 15 minutes. Refresh tokens are rotated on every use — the previous token is immediately invalidated. If a stolen refresh token is replayed, the entire session family is revoked automatically, forcing re-authentication. You can revoke any session from your account settings at any time.

Multi-Factor Authentication (MFA)

TOTP-based MFA is available for all users, compatible with Google Authenticator, Authy, 1Password, and any RFC 6238 app. When enabled, a correct password issues only a limited-scope intermediate token. A full session is only granted after the TOTP code is verified.

Sign in with Google / Microsoft

OAuth 2.0 with PKCE is used for social login. State and nonce parameters are verified on every callback. We do not use the implicit flow.

Brute force protection

After 5 consecutive failed login attempts, an account is locked for 15 minutes. Rate limiting on authentication endpoints provides a second layer of protection per IP address.

API keys

Tenant API keys are scoped to read-only access on specific endpoints. Keys can be rotated at any time — rotation immediately invalidates the previous key and fires an audit event.

Every significant action is recorded to an audit log. Each record captures: who performed the action, what was changed, which resource was affected, a timestamp, and the originating IP address.

Logged events include:

• All login attempts (successful and failed) and logouts
• MFA setup, activation, deactivation, and verification
• Password changes and session revocations
• User invitations, role changes, and account deletions
• API key rotations
• Data exports and account erasure requests
• Glossary content changes

The audit log is append-only and cannot be cleared by tenant admins. It is retained for accountability purposes under GDPR Art. 5(2).

Unnoodle is built to support your compliance obligations under GDPR and similar data protection laws. The following rights are implemented in production — not on a roadmap.

Consent at signup (Art. 7)

When you create an account, explicit consent is required and recorded — including the timestamp and IP address. Accounts cannot be created without it.

Right to export your data (Art. 20)

You can download a structured JSON export of all personal data we hold about you from your account settings. No support ticket. No waiting period.

Right to erasure (Art. 17)

You can permanently delete your account from account settings. When you do, your name, email, and credentials are immediately anonymised; all linked OAuth accounts are removed; all active sessions are revoked. Fully self-service.

Data minimisation (Art. 5)

Inactive accounts that exceed the configured retention period are automatically anonymised — personal identifiers are removed while the account record is retained for system integrity.

Tests before implementation

Every security control has automated tests written before the implementation. Controls that aren't tested aren't shipped.

No secrets in source code

All credentials, keys, and secrets are injected at deployment via environment variables. The application refuses to start in production if required security keys are absent. Nothing sensitive is committed to the repository.

Deterministic schema history

Every database change is managed through versioned migration files. There is no automatic schema generation in production. The state of the database at any point is deterministic and fully auditable.

Error responses don't leak internals

Unexpected errors return a generic message to the client. Stack traces and internal state are logged server-side only — never included in HTTP responses.

Our engineering practices are built around the SOC 2 Trust Service Criteria for Security, Availability, and Confidentiality. We have not pursued formal certification.

If formal certification is a requirement for your procurement process, contact us — we'll discuss where we are and what evidence we can provide.

If you believe you have found a security vulnerability in Unnoodle, please report it privately before disclosing publicly.