Security at AuditSmart

Smart contract source code submitted for analysis is processed entirely in-memory and immediately discarded. We retain only a SHA-256 hash of the contract for audit report integrity verification. Your code never touches a persistent storage layer.

All passwords are hashed using bcrypt with a cost factor of 12 before storage. Plain-text passwords are never stored, logged, or transmitted. Our systems cannot recover your password — only reset it via a secure tokenized flow.

All services run on SOC 2 Type II certified cloud infrastructure. Network traffic between services uses mTLS. Production databases are isolated in private VPCs with no public internet exposure. Backups are encrypted at rest using AES-256.

All communication with AuditSmart uses TLS 1.3 with HSTS enforced. We maintain an A+ rating on SSL Labs. API endpoints enforce strict rate limiting and request signing to prevent replay attacks.

Sessions use signed JWTs with short expiry windows (30 days) and are invalidated on password change or logout. OAuth tokens from GitHub and Google are never stored — only the user profile data we need. CSRF protection on all form endpoints.

All API endpoints require authentication. Rate limiting is enforced per IP and per user using Upstash Redis. API keys are hashed before storage and scoped to minimum required permissions. Keys can be revoked instantly from the dashboard.