Authentication
Two-factor authentication (2FA)
All plans support 2FA for added account security. To enable 2FA:- Click your avatar → Security Settings
- Select Two-Factor Authentication
- Scan the QR code with an authenticator app (Google Authenticator, Authy, etc.)
- Enter the 6-digit code to confirm
Enterprise: Single Sign-On (SSO)
Enterprise customers can enforce SAML 2.0 SSO via their identity provider (Okta, Azure AD, Google Workspace, etc.). To configure SSO:- Contact your FTS account manager
- Provide your identity provider’s metadata URL
- We’ll validate the setup in a test environment
- Once live, all workspace members must authenticate via your corporate SSO
Session management
FTS sessions expire after 30 days of inactivity. You’ll be notified 3 days before expiry with an in-app banner. To manually log out:- Click your avatar → Sign Out
- All active sessions are terminated
- Security Settings → Active Sessions
- See device, browser, and last activity
- Click Sign Out on any session to terminate it remotely
You can have up to 5 simultaneous sessions (e.g., desktop + 2 browsers + mobile + API token).
Data encryption
In transit (HTTPS TLS 1.3):- All data between your browser/client and FTS servers is encrypted
- Certificates are automatically renewed via Let’s Encrypt
- Case data, attachments, and metadata are encrypted in our Neon PostgreSQL database
- Encryption keys are managed by AWS KMS (Enterprise plan uses customer-managed keys)
- User passwords and API keys are hashed (bcrypt) and salted
- Session tokens use HMAC-SHA256
Workspace isolation
Each workspace is logically isolated:- Members of workspace A cannot access data from workspace B
- Workspace admins cannot escalate privileges beyond their workspace
- API tokens are workspace-scoped
Data compliance
GDPR (EU)- FTS is GDPR-compliant. We process personal data only as needed for service delivery.
- Data is stored in EU data centers (Neon PostgreSQL in Frankfurt, Germany; Cloudflare R2 in Paris).
- You can request data export or deletion anytime (see Data export).
- We’re undergoing SOC 2 Type II certification, expected Q3 2026.
- Current security controls meet SOC 2 standards; audit report available upon request.
- Available in your Workspace Settings → Legal for EU customers and those requiring contractual assurances.
Workspace access controls
Admin capabilities:- Invite, remove, and reassign member roles
- View audit logs (who accessed what, when)
- Set data retention policies
- Configure SSO and IP allowlists (Enterprise)
- Viewer: Read-only access
- Member: Create and edit own cases
- Reviewer: Approve/reject cases in review workflows
- Admin: Full workspace control
Incident response
If you discover a security issue:- Email security@ferrufino-tech-solutions.com with details
- We’ll acknowledge within 1 business day
- Our security team investigates and contacts you with updates
- Critical issues trigger an incident response plan (see Enterprise SLA)
We ask that you do not publicly disclose vulnerabilities until we’ve had time to patch. We follow responsible disclosure practices and will credit reporters.
API security
If you use the FTS API:- Generate tokens in Workspace Settings → API Tokens
- Each token is workspace-scoped and cannot access other workspaces
- Tokens expire after 1 year; you’ll be reminded to rotate
- Revoke any token immediately if compromised
Password policy
FTS enforces strong passwords:- Minimum 12 characters
- At least one uppercase letter, one lowercase, one number, one special character
- Checked against common breach databases (HIBP)