Domfolio Knowledge Library

Security and Compliance

Authentication controls, audit trails, and SOC2-ready implementation posture.

Audience
Security, compliance, and engineering
Source
docs/security-compliance.md
Last updated
March 3, 2026

Security Foundations

  • Mandatory email verification before API token issuance.
  • Session auth for web and bearer auth for API clients.
  • Capability checks for workspace-scoped reads and writes.
  • Correlation IDs for request traceability and operational forensics.

Audit and Traceability

Financial, auth, and integration-relevant actions are recorded in audit and event tables so teams can trace who did what, where, and when.

  • AuditLog captures action, actor, workspace, and metadata.
  • WebhookEvent stores signature outcome and raw payload for review.
  • IdempotencyKey records mutation replays and conflict detection.

SOC2-Ready Direction

  • Least privilege default with explicit capability checks.
  • Immutable or append-friendly security event history.
  • Sensitive data minimization in logs and request metadata.
  • Repeatable controls documented in runbooks and ADRs.

Next Hardening Steps

  • Per-endpoint sensitivity-based rate limits.
  • OAuth2 third-party flows and scoped client management.
  • Automated security scenarios (IDOR, mass assignment, replay attacks).
  • Alerting tied to API error rate, latency, and integration failure thresholds.

Product Overview

What Domfolio is, who it serves, and how major modules fit together.

Product Roadmap

Planned capabilities and phased expansion priorities for the platform.

Architecture

Current Django + HTMX architecture, request flow, and migration direction.

API v1

Versioned private API contract, auth model, envelopes, and endpoint map.

Domain Model and Roles

Workspace-scoped entities, role capabilities, and authorization boundaries.

Integrations

Stripe, QuickBooks, and Thumbtack-compatible connector patterns.

Security and Compliance

Authentication controls, audit trails, and SOC2-ready implementation posture.

Quality and Reliability

How release safety, reliability checks, and developer test depth fit together.

Operations and Runbooks

Operational procedures for incident response, sync failures, and release safety.

Decisions and ADRs

Locked architectural decisions and how to evolve them responsibly.