Security & Compliance

Security is architecture, not an afterthought

Command Bridge is built for agencies that handle sensitive, classified, and law-enforcement data. Security is enforced at every layer — database, application, and network.

Request a Security BriefingSee the Platform

Core Security Architecture

Three pillars that protect your data

Isolation, access control, and auditability are not features — they are architectural decisions baked into every layer of the system.

Data Isolation

Every query is tenant-scoped at the database level. Application logic cannot bypass these controls — isolation is enforced by PostgreSQL Row-Level Security policies, not by trust in application code.

  • Row-Level Security (RLS) on all database tables
  • Database-enforced tenant separation — not just application logic
  • Tenant context propagated via AsyncLocalStorage
  • Users can belong to multiple tenants with secure context switching
  • No cross-tenant data leakage by design

Access Control

Fine-grained role-based access control with 50+ permissions across every module. Roles are composable, cloneable, and enforceable at both the API and UI layers.

  • 50+ granular permissions across 12+ modules
  • Pre-built role templates (Admin, Manager, Operator) plus custom roles
  • Permission actions: view, create, edit, delete, approve, module-specific
  • Role cloning for rapid setup
  • Permission caching with LRU eviction for performance
  • Per-role home dashboard assignment

Audit Trail

Every action in the system is recorded with structured before/after diffs, user attribution, and timestamps. Audit records are immutable — database triggers prevent modification or deletion.

  • 247+ auditable resource types across all modules
  • Every action logged: create, update, delete, view, login, export
  • Automatic before/after state comparison with structured diffs
  • Database triggers prevent UPDATE/DELETE on audit records — truly immutable
  • 30+ sensitive fields (passwords, tokens) excluded from diffs
  • Classification levels: public, internal, sensitive, law enforcement, health
Authentication

Authentication & Session Security

Identity verification and session management designed for agencies with strict compliance requirements. Every authentication event is audited, and session policies are configurable per agency.

Auth0 integration with RS256 JWT verification
Enterprise SSO support
Configurable session and idle timeouts per agency
Failed login lockout with Redis-backed tracking
IP allowlist enforcement
Password minimum length requirements
Impersonation tokens for admin troubleshooting (with audit logging)
CSRF protection via Origin/Referer validation
CORS with explicit origins — no wildcards with credentials
Rate limiting across 5 tiers (API: 300/min, Strict: 10/min, Bulk: 20/min, AI: 30/min, Report: 5/min)
File type validation and SVG sanitization
Chunked upload with storage quota management
Time-limited signed URLs for file downloads
CAPTCHA protection (Turnstile) on public portal
Network & Application

Network & Application Security

Defense-in-depth across every request path. Rate limiting, origin validation, file sanitization, and CAPTCHA protection work together to ensure no single control failure compromises the system.

API Security

API Security

Programmatic access with the same security rigor as the application itself. API keys are hashed at rest, scoped to specific permissions, and tracked at the request level.

API key management with platform and tenant-level scoping
SHA256 key hashing — plaintext never stored
Granular permission arrays per key
Configurable expiration dates
Usage tracking (count and timestamp)
Dedicated usage logging table
Revocation capability
Compliance & Data Governance

Compliance & Data Governance

Built to meet the security requirements of law enforcement, public safety, and emergency management agencies — including CJIS-aligned controls and data classification enforcement.

CJIS-aligned security architecture
Data classification controls (public, internal, sensitive, law enforcement, health)
Multi-tenant isolation suitable for shared-services models
Exportable audit logs for compliance review
Configurable security policies per agency (18 categories)
Contact classification with sensitivity levels

Security at a glance

The numbers behind Command Bridge's security architecture.

247+
Auditable resource types
50+
Granular permissions
12+
Permission modules
5-tier
Rate limiting
RLS
Database-level isolation
Immutable
Audit log records
RS256
JWT verification
SSO
Enterprise authentication
SHA256
API key hashing
CJIS
Aligned architecture
18
Policy categories
30+
Redacted sensitive fields

Ready for a security conversation?

Schedule a technical briefing with our team. We will walk through the architecture, answer your compliance questions, and show you the audit trail in action.

Request a Security BriefingSee the Platform

See Command Bridge in action.

Request a Demo