Security Policy
- Passwords hashed with bcrypt
- JWT auth with refresh-token rotation
- Strict tenant isolation in every query
- Role-based access control (RBAC)
- Audit logs of sensitive actions
- Secrets stored in environment variables; never committed
- Encrypted transport (HTTPS) in production
- Secure document storage with allow-listed MIME types and size caps
Reporting a vulnerability
Please email security@debtpilot.ai. We acknowledge reports within 2 business days.