DuesIQ is built with security at every layer. From encrypted data storage to multi-factor authentication, we protect your community's information with the same standards used by financial institutions.
Every request is validated independently. Our middleware verifies your session on each page load, and PostgreSQL Row-Level Security policies enforce data isolation on every database query. No request is implicitly trusted.
TOTP-based two-factor authentication is available for all users and required for board members and administrators. This ensures that even if a password is compromised, your account remains protected.
All data is encrypted at rest using AES-256 and in transit via TLS 1.2+. Sessions use JWT tokens stored in httpOnly cookies. Webhook signatures are verified using HMAC-SHA256 to prevent tampering.
Role-based access control ensures members only see their own data. Board members have administrative access scoped to their community. All security events are logged in an audit trail for compliance and review.
Automated dependency scanning runs on every code change. Critical vulnerabilities are patched within 48 hours. Our security policies, including our patching SLA and data retention schedules, are documented and reviewed annually.
If you discover a security vulnerability, please report it to security@duesiq.com. We will acknowledge receipt within 48 hours and provide a fix timeline within 7 days.