Security
BillPilot is designed for enterprise controls: strict tenant isolation, auditable workflows, and secret handling that aligns with AWS best practices.
Secrets Management
OAuth tokens and operational secrets stored exclusively in AWS Secrets Manager. Never in plaintext databases or environment variables. Secrets are rotated automatically and access is audit-logged.
Token Handling
Cognito JWTs verified on every API request. Calendar refresh tokens encrypted in Secrets Manager. HttpOnly session cookies with secure flag and SameSite=Lax. No tokens exposed to client-side JavaScript.
Encryption
TLS 1.2+ for all data in transit. AES-256 at rest via AWS KMS for DynamoDB, S3, and Secrets Manager. No unencrypted data paths exist in the architecture.
Tenant Isolation
Every DynamoDB query is scoped by tenant partition key. API gateway authorizers enforce tenant boundaries on every request. Cross-tenant data access is architecturally impossible.
Audit Trails
Append-only audit log for all sensitive actions including role changes, invoice transitions, and data exports. No retroactive edits are possible. Reviewable per tenant with full timestamps.
Monitoring
CloudWatch alarms on authentication failures, export errors, and DLQ depths. Structured JSON logging for rapid incident response. Real-time alerts for anomalous access patterns.
For the complete security specification, see the repository's docs/SECURITY.md.