Settings

Security controls

Invitations, MFA, API keys, posture scoring and security events are visible before access risk becomes audit risk.

Security posture

review

72/100

MFA and key rotation are the main gaps

Active users

info

6 have verified MFA factors

Pending invites

warning

Follow up before expiry

API keys

warning

1 key expires within 30 days

Encryption and audit controls

84/100

Encryption at rest

ready

Integration configuration is stored with AES-256-GCM envelope encryption Document versions carry encrypted storage evidence and key references Raw integration secrets are rejected unless they are secret references

Encryption in transit

warning

HTTPS enforcement middleware redirects insecure production requests HSTS, CSP, frame blocking and permissions policy are emitted Database SSL mode is configurable for Postgres connections

Audit logging

ready

Domain mutations write tenant-scoped audit logs Sensitive audit fields are redacted before persistence Audit records include SHA-256 event hashes

Control	Score	Status	Required action
Encryption at rest Integration configuration is stored with AES-256-GCM envelope encryption	88/100	enabled	Move production keys into managed KMS and rotate on schedule
Encryption in transit HTTPS enforcement middleware redirects insecure production requests	76/100	warning	Enable HTTPS enforcement and verify-full database SSL in production
Audit logging Domain mutations write tenant-scoped audit logs	88/100	enabled	Add production append-only storage and export retention jobs

Posture checklist

72/100

MFA coverage

warning

1 active user still needs MFA.

Invitation follow-up

review

2 invitations are waiting for acceptance.

API key rotation

warning

1 API key needs rotation.

Security events

ready

No high severity events are open.

Security events

	Severity	Detail	At
user.invited	info	Support Coordinator invitation created	11:00 pm
api_key.created	warning	Reporting integration key created with billing read scope	11:10 pm
mfa.enabled	info	Tenant Owner verified TOTP factor	11:15 pm

Users and MFA

User		MFA	Status
Imran Owner owner@example.com	Tenant Owner	Required	Active
Ops Manager ops@example.com	Operations Manager	Missing	Active
Plan Manager plan@example.com	Plan Manager	Required	Active

Invitations

		Expires	Status
coordinator@example.com	Support Coordinator	11 June 2026	Pending
auditor@example.com	Auditor	09 June 2026	Pending

API keys

Key	Scopes	Expires	Status
Reporting integration cndis_live_rpt	participant:read, billing:read	29 June 2026	Expiring
Document sync cndis_live_doc	document:read, document:write	31 Aug 2026	Active

Configuration register

Organisation profile

Permission-gated

Sites

Permission-gated

Teams

Permission-gated

Users and roles

Permission-gated

Permissions

Permission-gated

NDIS support catalogue

Permission-gated

Price versions

Permission-gated

Billing rules

Permission-gated

Claim export settings

Permission-gated

Invoice templates

Permission-gated