Security Audit

Added by Troy Pastoral Troy P.
Column
Review
Assigned to
Troy Pastoral Troy P.
Subtasks
Send security white paper to Eric and team *APP *APP, Justin Sheehan Justin S. Fri, May 29
Create OnePassword Vault for all accounts - individual vaults for each app *APP *APP, Justin Sheehan Justin S. Tue, Jun 9
Review next steps for security *APP *APP, Justin Sheehan Justin S., Troy Pastoral Troy P. Mon, May 25
Troy Pastoral
Troy Pastoral AI Whisperer Edited

Security Audit QA — Client Sign-Off
These are the 19 security issues we found and fixed.



Protecting User Accounts


  • A person cannot set up two-factor authentication (the extra login code) for
    someone else's account
  • When setting up the extra login code, no data is sent to outside websites
  • Someone cannot hack into an account by guessing the 6-digit login code
    repeatedly, even using multiple internet connections
  • A regular logged-in user cannot see other people's private folder invitation
    links
  • When an admin views another user's account, that action is recorded securely —
    not visible in open server logs



Blocking Malicious Content


  • Pasting dangerous code into a knowledge base entry does nothing harmful when
    other users open it
  • AI-generated suggestions and canvas cards cannot run hidden scripts



Login & Access Rules


  • If our database has a brief outage, users from restricted countries are still
    blocked — not accidentally let in
  • Users cannot fake their location to bypass country restrictions
  • Clicking a suspicious login link cannot redirect users to a fake external website
    after they sign in
  • A regular user cannot secretly upgrade their own account to admin
  • Clearing browser data does not let a user skip the two-factor login step



Background Protection Systems


  • Attempting to manipulate the AI with trick prompts is blocked outright, not just
    recorded
  • The system detects and hides sensitive data (bank account numbers, cloud service
    keys, developer tokens) before it reaches the AI or gets stored
  • One user flooding the system cannot accidentally lock other users out
  • If a security event fails to log, admins are notified — nothing is silently lost



File & Data Safety


  • Uploading a deliberately broken file does not crash the system — it shows an error
    and stops cleanly
  • A one-time backup login code cannot be used twice at the same moment
  • Backup login codes are not stored in a readable format in the database
  • If the AI chat hits an error, no internal system details leak into the error
    message shown to users