Security & Access Control
CoralLedger Comply implements multiple layers of security to protect your financial data and ensure regulatory compliance.
Multi-Tenant Security Demo
Authentication
Two-Factor Authentication (2FA)
All users are required to set up 2FA on first login. This adds a second verification step using an authenticator app.
- Required for: All users, all sensitive operations
- Supported apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password
- Backup codes: Generated during setup for emergency access
Password Security
- Minimum 8 characters with complexity requirements (uppercase, lowercase, number, special character)
- PBKDF2 hashing with industry-standard iterations
- Password change history tracked
Session Management
- Secure cookie-based authentication
- Session timeout for inactive users
- View and revoke active sessions from Account Settings
- Login history with IP address and device tracking
- Session revocation on soft-delete — when an operator account is soft-deleted,
UpdateSecurityStampAsyncis called immediately, invalidating all of that user's active sessions across every device
Threat Protection
IP Blocking
Blocks IP addresses after repeated failed login attempts. Administrators can manually block suspicious IPs.
Fraud Detection
Real-time monitoring flags suspicious activity including:
- Unusual transaction patterns
- Statistical outliers
- Rapid repeated actions
- Cross-tenant access attempts
Kill Switch
Emergency control to immediately disable fraud detection or lock down specific accounts during security incidents.
Impersonation
PlatformAdmin operators can sign in as any user in a read-only session for support and debugging. Every session is time-limited, write-blocked, and fully audited.
Learn more about impersonation
Data Protection
Multi-Tenant Isolation
All EF Core queries are filtered by Business ID at query execution time, providing strong logical separation between businesses. Cross-tenant access is prevented for all queries that go through the tenant-aware data access layer.
The EF Core global query filter re-evaluates the current BusinessId on every EF Core query, so switching tenants mid-session — including via the ?bid= query parameter in Blazor Server — takes effect immediately without requiring a page reload or new database connection.
Learn more about the tenant filter architecture
Audit Trail
All data modifications are recorded in an immutable, hash-chain verified audit log. See Audit Trail for details.
Data Retention
- Active accounts: Unlimited retention
- Closed accounts: 7-year retention per Value Added Tax Act, 2014, s. 50
- WORM (Write Once Read Many) compliance for audit entries
Encryption
- TLS 1.2+ for all data in transit
- Database-level encryption for data at rest
- Secure cookie flags (HttpOnly, Secure, SameSite)
Role-Based Access Control
| Role | Scope | Permissions |
|---|---|---|
| PlatformAdmin | Platform-wide (Ops Portal) | Full platform administration — manage all businesses, operators, and emergency controls. Requires 2FA. Ops Portal access controlled by RequirePlatformAdmin policy (role + 2FA); role assignment managed separately. |
| Owner | Business | Full access to all features and settings within a business |
| Accountant | Business | Manage transactions, returns, and reports |
| User | Business | View-only access to data and reports |
Granular permissions can be configured per user for: Transactions, Reports, Compliance, Settings, User Management, and Security.
RequirePlatformAdmin Policy
Access to the Ops Portal is enforced by the RequirePlatformAdmin authorization policy, implemented in PlatformAdminAuthorizationHandler. This policy combines two checks:
- Role check — the user must hold the
PlatformAdminrole. - 2FA check — the user must have completed two-factor authentication for the current session.
Requests that fail either check are rejected with a 403 Forbidden response before any application endpoint or controller logic is executed.
Self-Operation Guards
To prevent accidental or malicious lock-out, operators are blocked from performing destructive actions on their own account:
- An operator cannot lock their own account.
- An operator cannot delete (soft-delete) their own account.
These guards are enforced server-side and cannot be bypassed through the API.
Impersonation Read-Only Mode
When a PlatformAdmin impersonates a business account, an HTTP-level middleware enforces read-only mode. All mutating requests (POST, PUT, PATCH, DELETE) are rejected for the duration of the impersonation session, ensuring that platform operators cannot inadvertently or deliberately modify client data while impersonating.
Best Practices
- Enable 2FA immediately — Required for all users
- Use strong, unique passwords — Don't reuse passwords from other services
- Review login history regularly — Check for unrecognized access
- Limit user permissions — Grant only the access each team member needs
- Monitor fraud alerts — Act on security notifications promptly