PhiWebs

Security

We take security seriously, and we are deliberate about what we claim. This page lists what is implemented today and what is still on the roadmap.

In place today

Tenant Isolation

Every surface, block, and credential is scoped to a workspace. The API enforces tenant boundaries on every read and mutation.

RBAC

Seven built-in roles with granular per-resource permissions. Roles are enforced at the API boundary, not in the UI.

Authentication

OAuth2 with PKCE, JWT sessions with rotation, and OAuth callbacks for GitHub and Microsoft. SSO via OIDC and SAML for enterprise plans.

Audit Logs

Every mutation is recorded with actor, timestamp, target resource, and request context.

Input Validation

All API endpoints validate input with Zod schemas before any business logic runs.

Rate Limiting

Per-tenant and per-plan rate limits enforced in middleware to prevent abuse.

GDPR Tooling

Data export (24-hour service-level target), anonymization, and right-to-deletion endpoints are implemented and audited.

Operator-only Console

The operator dashboard is gated to PhiWebs staff. End users cannot reach it, and impersonation is fully audited.

Infrastructure

Production runs on a hybrid topology: Azure Container Apps for the origin, Cloudflare for edge delivery and DDoS protection, PostgreSQL and Redis for state, and R2 for object storage. TLS is terminated at the Cloudflare edge.

Compliance status

We do not claim certifications we do not hold. Status is reported honestly:

SOC 2

Not yet — planned

GDPR tooling

In place (see above)

ISO 27001

Not yet — planned

On the roadmap

The following are not in v1.0 but are being planned. They are listed here so that the page is honest about what you should and should not rely on:

  • Multi-factor authentication (MFA) for end-user accounts
  • Application-level encryption at rest for sensitive fields
  • Third-party penetration testing and public attestation
  • Customer-configurable data residency
  • SOC 2 Type II audit

Responsible Disclosure

If you find a security vulnerability, please report it privately. We commit to acknowledging reports within 72 hours and to keeping the reporter informed about remediation.

Report vulnerabilities to:

security@phiwebs.com

Questions?

For security-related inquiries, contact security@phiwebs.com.