All connections are encrypted with TLS 1.3. HSTS is enforced with a one-year max-age and preload directive. HTTP connections are automatically redirected to HTTPS.

Sensitive fields (authentication secrets, 2FA tokens) are encrypted using AES field-level encryption with HMAC integrity verification. Passwords are hashed with Werkzeug's PBKDF2-SHA256 with unique salts — never stored in plaintext.

Minimum 8 characters with uppercase, lowercase, and numeric requirements. Password history prevents reuse of the last 5 passwords.

TOTP-based 2FA using RFC 6238. QR codes generated server-side — no third-party authentication services involved. Eight single-use backup codes provided, stored as salted hashes.

Accounts are locked for 15 minutes after 5 consecutive failed login attempts. Lockout is cleared on successful password reset.

Server-enforced 30-minute session timeout. Sessions use secure, HTTP-only, SameSite=Lax cookies. Client-side idle detection triggers automatic logout. Session duration logged in audit trail.

Team administrators can restrict access to approved IP addresses or CIDR ranges. Logins from unauthorized IPs are blocked at the application layer.

Every state-changing form includes a CSRF token validated server-side. AJAX requests include the token via custom header.

Strict CSP headers restrict script execution, style sources, and frame embedding. X-Frame-Options set to DENY. X-Content-Type-Options set to nosniff.

All user input is validated server-side. Template rendering uses automatic HTML escaping via Jinja2. File uploads are restricted by type and size.

Server-level rate limits on authentication endpoints (login, registration, password reset) prevent brute-force and credential-stuffing attacks.

Public-facing forms are protected by Cloudflare Turnstile challenge verification.

Login redirect targets are validated to prevent open redirect attacks. Only relative paths within the application are accepted.

Application runs on dedicated infrastructure behind Cloudflare's CDN and DDoS protection layer. Reverse proxy enforces security headers on every response.

All payment data is handled by Stripe (PCI DSS Level 1 certified). NoteUp never processes, stores, or transmits card numbers.

Outbound email uses authenticated SMTP over TLS (STARTTLS on port 587). SPF, DKIM, and DMARC records configured for the noteup.ca domain.

Comprehensive automated test suite covering authentication flows, authorization checks, data isolation, team permissions, 2FA workflows, form validation, and edge cases. Tests run against isolated databases to prevent data leakage.

Dedicated test cases verify: unauthenticated access is blocked, cross-user data isolation, CSRF enforcement, input sanitization, disabled account handling, and team permission boundaries.

All code changes are validated against the full test suite before deployment to catch regressions in security controls.

Third-party dependencies are pinned to minimum versions and reviewed for known vulnerabilities before updates.

Every create, update, and delete action is recorded in an immutable audit log with timestamp, user ID, IP address, and action summary. Users can view their own activity history.

Successful logins, failed attempts, 2FA verifications, and session durations are tracked. Failed login attempts are counted toward account lockout thresholds.

Users can export all their data (cases, notes, contacts, tasks, journal entries, profile, audit logs) as a ZIP archive at any time from their account settings.

Users can permanently delete their account and all associated data. Team owners must disband the team first. Deletion is irreversible and completed immediately.

Security controls address the Trust Services Criteria: access control, encryption, change management, monitoring, and incident response.

Data collection is minimal and purposeful. Users can access, export, and delete their data. No data is shared with third parties beyond payment processing (Stripe).