Public security overview

Layered access without exposing the implementation.

This public page explains security principles only. Detailed architecture, control evidence, incident procedures, and private assessments belong in the screened stakeholder portal.

Role-based access

Private records and documents are available only to authenticated users with an active portal membership approved for the relevant workspace.

Database enforcement

Authorization is enforced in the database through Row Level Security rather than relying only on hidden buttons or client-side route checks.

Private document delivery

Screened files are stored in private buckets and delivered through short-lived signed URLs after authorization is rechecked.

Least privilege

Public clients receive only a publishable key. Server secrets remain server-side and are never included in browser bundles.

Auditability

Administrative approvals, document changes, and sensitive access events should be recorded in an append-oriented audit log.

Data separation

Marketing content, inquiries, portal documents, and participant-level research data should not share one unrestricted data environment.