Security overview
Simple Council is built to be the artifact your auditor reads. The same controls we surface to your compliance program apply to our own.
Identity
- Microsoft Entra ID multi-tenant OIDC by default. Customer tenants control which Entra tids may sign in via the ALLOWED_TENANT_IDS gate.
- Optional Credentials provider with bcrypt hashing for break-glass and integration test accounts only.
- Role-based access at three levels (admin / member / viewer) per the SIG identity contract (entity ruleset §9).
Tenant isolation
- Every domain table carries a tenantId column. Server actions and route handlers resolve the active tenant from the session and a host-bound custom-domain lookup; no tenantId is ever trusted from a request body.
- A canary test agent in a second tenant is asserted absent from the first tenant's pages and the auditor export envelope on every CI run (see Trust center).
Data protection
- TLS 1.2 or higher in transit (Azure Front Door enforced).
- AES-256 at rest in Azure Database for PostgreSQL. The evidence ledger is hash-chained per (agent, control) so tampering surfaces in the integrity sweep at export time.
- Secrets live in Azure Key Vault accessed through Container App managed identities. No customer credentials are stored in the database.
Audit + monitoring
- Every operator action writes a structured AuditLog row with actorType, action verb, before / after JSON, and an optional reason.
- Every MCP call writes a McpAudit row regardless of success or failure.
- Internal cron routes (continuous evidence, cost rollup) are bearer- gated and emit structured stats.
Vulnerability management
- Dependency scanning on every pull request via GitHub-managed tooling.
- §18 Playwright E2E suite asserts auth, visibility, isolation, and admin gates on every change.
- Coordinated disclosure: write to security@simpleintelligence.io. We acknowledge within two business days.
Compliance posture
Simple Council ships pre-built blueprints for ISO 42001, EU AI Act, NIST AI RMF, HIPAA, HITRUST, FFIEC, SR 11-7, FINRA, CMMC L2, FEDRAMP, and SOC 2. Simple Intelligence's own compliance attestations are published at /trust.