Security overview

Simple Council is built to be the artifact your auditor reads. The same controls we surface to your compliance program apply to our own.

Identity

  • Microsoft Entra ID multi-tenant OIDC by default. Customer tenants control which Entra tids may sign in via the ALLOWED_TENANT_IDS gate.
  • Optional Credentials provider with bcrypt hashing for break-glass and integration test accounts only.
  • Role-based access at three levels (admin / member / viewer) per the SIG identity contract (entity ruleset §9).

Tenant isolation

  • Every domain table carries a tenantId column. Server actions and route handlers resolve the active tenant from the session and a host-bound custom-domain lookup; no tenantId is ever trusted from a request body.
  • A canary test agent in a second tenant is asserted absent from the first tenant's pages and the auditor export envelope on every CI run (see Trust center).

Data protection

  • TLS 1.2 or higher in transit (Azure Front Door enforced).
  • AES-256 at rest in Azure Database for PostgreSQL. The evidence ledger is hash-chained per (agent, control) so tampering surfaces in the integrity sweep at export time.
  • Secrets live in Azure Key Vault accessed through Container App managed identities. No customer credentials are stored in the database.

Audit + monitoring

  • Every operator action writes a structured AuditLog row with actorType, action verb, before / after JSON, and an optional reason.
  • Every MCP call writes a McpAudit row regardless of success or failure.
  • Internal cron routes (continuous evidence, cost rollup) are bearer- gated and emit structured stats.

Vulnerability management

  • Dependency scanning on every pull request via GitHub-managed tooling.
  • §18 Playwright E2E suite asserts auth, visibility, isolation, and admin gates on every change.
  • Coordinated disclosure: write to security@simpleintelligence.io. We acknowledge within two business days.

Compliance posture

Simple Council ships pre-built blueprints for ISO 42001, EU AI Act, NIST AI RMF, HIPAA, HITRUST, FFIEC, SR 11-7, FINRA, CMMC L2, FEDRAMP, and SOC 2. Simple Intelligence's own compliance attestations are published at /trust.