Security Model
Authentication Methods
We offer passwordless authentication to eliminate password-related security risks:
- Email/SMS Codes: Time-limited, single-use codes that expire after 5 minutes with rate limiting to prevent automated attacks
- Magic Links: Secure, one-time-use links sent via email that expire after 72 hours with cryptographically secure token generation
Enterprise Single Sign-On (SSO)
- Google Workspace integration
- Microsoft Azure AD integration
- Automatic account provisioning and management
Session Security
- Authentication tokens stored in secure, HTTP-only cookies
- Short-lived access tokens (30 minutes) with automatic refresh
- Immediate session termination on logout or security events
- Protection against session hijacking
Access Controls
Role Based Access Controls
The platform implements a hierarchical access control system with five distinct roles:
Role | Description |
User | Standard access to personal surveys and results |
Admin | Full organizational access including user management |
employeeInsite Partner | Client-scoped access for non-employeeInsite team members to manage employeeInsite process on behalf of their clients |
employeeInsite Admin | Platform administrative access for employeeInsite team members |
System Admin | Technical administrative access (highly restricted) |
Access Control Principles
- Multi-Level Validation: User identity verified on every request with role-based permission checks
- Principle of Least Privilege: Users granted minimum necessary access with regular access reviews
Powered by