Skip to content
Last updated: 2026-04-06

Security Overview

This page describes the security controls implemented in the Dxtra platform.

Authentication

Dxtra uses JWT-based authentication with multiple authentication methods:

  • Email/password: Standard credential-based authentication with minimum 8-character password requirement
  • Passwordless email: Magic link authentication via email
  • OAuth providers: GitHub OAuth integration for single sign-on
  • WebAuthn/FIDO2: Hardware security key and passkey support
  • TOTP-based MFA: Time-based one-time passwords for additional account security
  • Anonymous sessions: Temporary sessions for data subject interactions

Access Control

Every request is validated through role-based permissions:

graph TD
    A[Request] --> B[JWT Validation]
    B --> C{Valid Token?}
    C -->|No| D[401 Unauthorized]
    C -->|Yes| E[Role Extraction]
    E --> F[Permission Check]
    F --> G{Authorized?}
    G -->|No| H[403 Forbidden]
    G -->|Yes| I[Data Controller Filter]
    I --> J[Return Data]

Key authorization features:

  • Role-based permissions: Each API endpoint has granular permissions per role
  • Row-level security: Users can only access data controllers they are explicitly assigned to
  • Column-level filtering: Sensitive columns are restricted based on user role

Encryption

Data in Transit

  • HTTPS enforced: All API traffic requires TLS (HTTP requests redirect to HTTPS)
  • TLS 1.2 minimum: All endpoints enforce TLS 1.2 or higher

Data at Rest

  • Database encryption: Storage encryption enabled for all databases
  • Object storage: Server-side encryption for all stored files
  • Secrets: Stored in secure secret management systems

Rate Limiting

The authentication service implements rate limiting to prevent abuse:

Limit Type Burst Interval
Global 100 requests 1 minute
Brute force 10 attempts 5 minutes
Email sending 10 emails 1 hour
Sign-ups 10 registrations 5 minutes

User Roles

The platform defines the following roles for data controller access:

Role Description
Business Owner Full platform access including billing and team management
Data Protection Officer Compliance oversight, risk assessments, and regulatory liaison
Data Controller Defines data processing purposes and policies
Developer API access and technical integration capabilities
Agency Reseller Multi-client management for consultants
Auditor/Regulator Read-only access for compliance verification

Each role has specific permissions defined at the API level.

Audit Logging

The platform maintains audit trails through:

  • Event logging: All data changes are logged with timestamps
  • Activity history: Complete audit trail for compliance reporting
  • API request logging: Requests tracked for security monitoring

Security Best Practices

For Account Administrators

  1. Enable MFA for all user accounts
  2. Use the principle of least privilege when assigning roles
  3. Review user access periodically and remove unused accounts
  4. Monitor the audit logs for unusual activity

For API Integrations

  1. Store API credentials securely (never in client-side code)
  2. Use webhook signature validation for incoming events
  3. Implement retry logic with exponential backoff
  4. Monitor API responses for error patterns

For Developers

  1. Use the GraphQL API for all data operations
  2. Validate all user inputs before processing
  3. Follow the established permission patterns for new features
  4. Never log sensitive data (PII, credentials, tokens)