Security

InfraBinder uses role-based access, tenant-scoped reads and writes, audit logs, version history for sensitive records, soft archive behavior, and HTTP-only session cookies.

Business Owner, Technical Admin, Viewer/Auditor, Billing Admin, and Emergency Contact roles are separated so technical maintainers cannot silently remove the protected owner by default.

Account sign-in supports optional authenticator-app MFA with one-time recovery codes. A session is created only after the password and MFA challenge succeed when MFA is enabled.

MFA/recovery reference fields in credential records are documentation-only references for external systems and credential vaults. They are separate from InfraBinder account MFA.

Evidence files and notes should not contain passwords, API keys, private keys, recovery codes, TOTP seeds, or secret values.

Report suspected vulnerabilities, account access concerns, or private beta security issues through the security contact.