Authentication & Single Sign-On

EmpireVault delegates all authentication to WorkOS, an enterprise identity platform. We never store passwords. Users authenticate through OAuth 2.0, and organizations can connect their own identity provider via SAML or OIDC for single sign-on.

• No local password storage — all credentials managed by your identity provider
• SSO support via SAML 2.0 and OpenID Connect
• Session management with secure, HTTP-only cookies
• Automatic session invalidation on user deactivation

Authorization & Access Control

Access control in EmpireVault operates at three independent layers, ensuring users can only reach the data and features appropriate to their role and subscription.

• Role-Based Access Control (RBAC): A defined role hierarchy (super_admin, admin, manager, sales, readonly) governs permissions across 30+ resources
• Tool Entitlements: Each subscription plan defines which platform modules (CRM, Tickets, Campaigns, etc.) are accessible
• Subscription Gating: Platform access is enforced based on subscription state, with automatic restriction when subscriptions lapse

Encryption

Data at Rest

All sensitive fields are encrypted at the application layer using Rails ActiveRecord Encryption with AES-256-GCM. This includes personally identifiable information, API credentials, system settings, and email content. Encryption is deterministic where needed for querying and non-deterministic for maximum security elsewhere.

Data in Transit

All traffic is encrypted via TLS 1.2+ across every subdomain. Certificates are automatically provisioned and renewed through cert-manager with Let’s Encrypt. Internal cluster communication is secured within the Kubernetes network boundary.

Tenant Isolation

EmpireVault is a multi-tenant platform with strict data isolation enforced at the database level. Every tenant-scoped record includes a tenant_id foreign key, and composite unique indexes prevent cross-tenant data leakage. All queries are automatically scoped to the authenticated user’s tenant context.

• Database-level tenant scoping on all models
• Composite unique indexes enforce data boundaries
• Cross-tenant access is architecturally impossible through normal application paths

Audit Logging

Every significant action in EmpireVault is recorded in an immutable audit log. Audit records cannot be modified or deleted — they are append-only by design. The platform tracks over 90 distinct action types spanning user management, CRM operations, ticket workflows, billing events, and AI usage.

• 90 tracked action types across all platform modules
• Immutable records — no update or delete operations permitted
• Full actor attribution (who, what, when, from where)
• Available to administrators for compliance and investigation

API Security

All API endpoints require authentication via Bearer token and a customer ID header. Public-facing API endpoints (such as lead capture and waitlist signup) are rate-limited and validated. Internal service communication is restricted to the Kubernetes cluster network.

Email Security

EmpireVault’s email infrastructure enforces compliance and security at every layer.

• CAN-SPAM compliance built into all outbound email — physical address footer, one-click unsubscribe
• Cryptographically signed unsubscribe tokens prevent tampering and ensure only legitimate recipients can unsubscribe
• List-Unsubscribe headers for RFC 8058 compliance
• Bounce tracking and automatic suppression list management

AI Usage Controls

AI-powered features (ticket triage, draft replies, summarization, translation, and routing) include robust controls to ensure responsible use and cost management.

• Per-tenant rate limiting with configurable daily and monthly caps
• Complete usage logging — every AI invocation is recorded with model, token count, and requesting user
• Admin disable flag — AI features can be turned off entirely per tenant
• No customer data is used for model training — all AI calls use the OpenAI API with data processing agreements in place

Deployment Security

EmpireVault runs on Kubernetes with security best practices applied at every layer of the infrastructure.

• Non-root containers — all application containers run as unprivileged users
• Multi-stage Docker builds — production images contain only runtime dependencies, minimizing attack surface
• Kubernetes Secrets — all credentials and sensitive configuration are stored in K8s Secrets, never in code or environment files
• Automated TLS certificate management via cert-manager and Let’s Encrypt
• Container images tagged with commit SHA for full traceability

CI/CD Security

Every code change passes through an automated security pipeline before reaching production.

• Brakeman — static application security testing (SAST) scans every build for common Rails vulnerabilities
• bundler-audit — checks all Ruby dependencies against known CVE databases
• importmap audit — verifies JavaScript dependencies for known vulnerabilities
• Full test suite execution on every push — deployments are blocked on test failure

Compliance

EmpireVault’s security controls are designed in alignment with the ISO 27001 information security management framework. We are actively working toward formal certification and continuously evaluate our controls against ISO 27001 Annex A requirements across access control, cryptography, operations security, and communications security domains.

Our platform also enforces CAN-SPAM compliance for all outbound email communications, with built-in unsubscribe mechanisms, mailing address requirements, and suppression list management.