← Back to portflow.tech
🛡️

Security Whitepaper

Technical Security Architecture & Implementation · Version 1.0 · March 24, 2026

Executive Summary

PortFlow is a maritime logistics SaaS platform built with security as a core architectural principle. This whitepaper details PortFlow's security measures, technical architecture, and compliance roadmap for maritime agencies evaluating data security and regulatory compliance.

Multi-tenant data isolation at database and application layers
End-to-end encryption for data in transit and at rest
Role-based access controls with per-tenant enforcement
Comprehensive audit logging and incident response
Third-party security vetting and Data Processing Agreements
Active compliance roadmap: SOC 2 Type II (Q4 2026), GDPR audit (Q1 2027)

1. Technology Architecture

1.1 Platform Overview

USER DEVICES
Web Browser, Mobile Browser
↕ HTTPS / TLS 1.3
CDN & EDGE CACHING
Vercel Edge Network, Global
↕ HTTPS / TLS 1.3
NEXT.JS FRONTEND & API ROUTES
TypeScript · SSR · Auth Middleware · Request Validation
↕ Internal Network / TLS
NODE.JS BACKEND SERVICES
Business Logic · Authorization · Encryption · Audit Logging
↕ Encrypted Connection / TLS
NEON POSTGRES DATABASE
AES-256 Encryption · Row-Level Security · Automated Encrypted Backups

1.2 Technology Stack

Frontend

  • · Next.js 14.2.5 (React)
  • · TypeScript
  • · Tailwind CSS
  • · NextAuth.js (JWT + Secure Cookies)

Backend

  • · Node.js v20 LTS
  • · Next.js API Routes
  • · Custom JWT verification
  • · Structured JSON logging

Database

  • · PostgreSQL (Latest)
  • · Neon (managed on AWS)
  • · Multi-replica for HA
  • · Automated encrypted backups (30 days)

Infrastructure

  • · Vercel (Next.js platform)
  • · Vercel Edge Network (Global CDN)
  • · Built-in DDoS protection
  • · Vercel Analytics + Custom monitoring

2. Authentication & Authorization

2.1 Authentication Mechanisms

1User enters email and password
2Password hashed using bcrypt (cost factor: 12). Never stored in plaintext.
3If credentials valid, JWT token is issued
4JWT token stored in secure, HttpOnly cookie
5JWT includes user ID, organization ID, and role
6Token expires after 24 hours; refresh tokens enable seamless re-authentication

JWT Token Structure:

{

"sub": "user_id_uuid",

"org_id": "organization_id_uuid",

"role": "operator|administrator|auditor|sales|gerente_general",

"iat": 1711270800, "exp": 1711357200

}

2.2 Role-Based Access Control (RBAC)

RoleVesselsQuotationsInvoices
AdministratorFull (R/W)Full (R/W)Full (R/W)
Gerente GeneralRead (R)Read (R)Read (R)
OperadorFull (R/W)Read (R)Read (R)
VentasRead (R)Full (R/W)Read (R)
AuditorRead (R)Read (R)Read (R)
Level 1
API Endpoint Authorization: Every API route checks user's JWT token and role. Unauthorized requests rejected with 401/403.
Level 2
Database Row-Level Security: PostgreSQL RLS policies restrict records by organization_id. Even application-layer bugs cannot expose cross-tenant data.
Level 3
Data Filtering: Backend queries include WHERE organization_id = current_user.org_id as defense-in-depth.

2.3 Session Management & Password Security

Session Security

  • · HttpOnly cookies (not accessible by JavaScript)
  • · SameSite=Strict (prevents CSRF attacks)
  • · Secure flag (HTTPS only)
  • · 24-hour expiration with refresh tokens

Password Requirements

  • · Minimum 12 characters
  • · Bcrypt hashing (cost factor 12)
  • · Never stored in plaintext, logs, or backups
  • · Password reset tokens expire after 15 minutes

3. Data Protection

Encryption in Transit

  • · Protocol: TLS 1.3
  • · Ciphers: AES-256-GCM, ChaCha20-Poly1305
  • · HSTS: Enforces HTTPS
  • · Perfect forward secrecy: past sessions remain secure even if key is compromised

Encryption at Rest

  • · Database: AES-256 at storage layer
  • · All table spaces, indexes, and temp tables encrypted
  • · Backups: AES-256, 30-day retention
  • · Encryption keys stored separately from encrypted data

Sensitive Data Handling

Payment Information

Credit card data NOT stored in PortFlow. Processed by PCI-DSS certified provider. Only last 4 digits retained for reference.

PII Data

Crew names, passport numbers encrypted if stored. Minimum retention; deleted when no longer needed.

Auth Tokens

Stored in HttpOnly cookies only. Never logged or exposed in URLs.

Key Management

Keys stored in secure environment variables. Quarterly key rotation plan. Never committed to source code.

4. Multi-Tenant Isolation

PortFlow is a multi-tenant platform. Each organization's data is strictly isolated across three enforcement levels:

Application Level

Every user belongs to exactly one organization. Every API query filters by organization_id. Cross-organization access is impossible by design.

Database Level (PostgreSQL RLS)

Row-Level Security policies enforce isolation. Queries automatically restricted to current organization's data. Even if application code has a bug, database prevents cross-tenant access.

-- Example RLS Policy

CREATE POLICY org_isolation ON vessels

USING (organization_id = current_user_org_id())

WITH CHECK (organization_id = current_user_org_id());

Administrative Access Controls

PortFlow engineers do not have default access to customer data. Production database access requires multi-factor authentication. All access is logged, audited, and reviewed quarterly.

5. Logging, Monitoring & Incident Response

5.1 Audit Logging

Logged Events

  • · User login/logout with IP and timestamp
  • · Vessel creation, modification, or deletion
  • · Quotation and invoice changes
  • · Administrative actions and permission changes
  • · Failed authentication attempts
  • · Database backup and recovery operations

Log Retention

  • · Application logs: 30 days
  • · Audit logs: 3 years (compliance)
  • · System logs: 90 days

Log Security

  • · Stored separately from application data
  • · Cannot be modified by application users
  • · Exports are encrypted

5.2 Incident Response Timeline

ImmediateIncident classified and responders notified
Within 1 hourInitial investigation and customer notification if data affected
Within 4 hoursRoot cause analysis completed
Within 24 hoursRemediation implemented and tested
Within 48 hoursPost-incident review and process improvements

6. Third-Party Security & Vendor Management

Neon Postgres

Database Hosting

SOC 2 Type II99.99% SLA

Encryption in transit (TLS) and at rest (AES-256). Multi-region data centers. Automated backups with point-in-time recovery.

Vetting: Completed ✓ · DPA: Signed ✓

Vercel

Application Hosting

SOC 2 Type II99.95% SLA

DDoS protection. Web Application Firewall (WAF). Automatic certificate management. Global edge network.

Vetting: Completed ✓ · DPA: Signed ✓

Anthropic (Claude AI)

Marina Chatbot

Enterprise DPA

No training on customer data. User queries deleted within 30 days. API rate limiting and abuse prevention.

Vetting: Completed ✓ · DPA: Signed ✓

Zoho CRM

Support / CRM

SOC 2 Type II

Encryption in transit and at rest. Role-based access controls. Audit logging.

Vetting: Completed ✓ · DPA: Signed ✓

7. Vulnerability Management

Secure Development

  • · TypeScript prevents entire categories of bugs
  • · Mandatory code reviews before deployment
  • · No hardcoded secrets or credentials
  • · Input validation and sanitization enforced

Dependency Management

  • · Regular dependency updates
  • · Security advisories via npm audit
  • · Critical vulnerabilities patched within 24 hours
  • · Quarterly security audits

Penetration Testing

  • · Q3 2026: Initial pen test (external firm)
  • · Q1 2027: Follow-up pen test
  • · Quarterly: Internal vulnerability scanning
  • · Q2 2027: Bug bounty program (planned)

8. IMO Maritime Cyber Risk Management (MSC-FAL.1/Circ.3)

PortFlow implements the core technical controls recommended by the International Maritime Organization's MSC-FAL.1/Circ.3-Rev.3 Guidelines on Maritime Cyber Risk Management, enabling maritime agencies to demonstrate compliance with IMO cyber security recommendations.

Technical Controls Implemented

  • · Encryption in Transit: TLS 1.3 with AES-256-GCM ciphers
  • · Encryption at Rest: AES-256 at database storage layer
  • · Role-Based Access Control: 5 permission levels (Administrator, Gerente General, Operador, Ventas, Auditor)
  • · Audit Logging: All operations logged with user, timestamp, and action type
  • · Multi-Tenant Isolation: 3 enforcement layers (application, database RLS, administrative)

Roadmap: Strengthening Controls

  • · Q3 2026: Third-party penetration test by external security firm
  • · Q3 2026: Formal incident response procedures documentation
  • · Q4 2026: SOC 2 Type II audit initiation
  • · Q1 2027: Enterprise security features (SAML SSO, advanced MFA, IP whitelisting)

MSC-FAL.1/Circ.3 Alignment

Maritime agencies using PortFlow can demonstrate to port authorities and regulators that they have implemented the cyber risk management controls recommended by the IMO, supporting compliance with international maritime security standards and operational cyber resilience requirements.

Security Contact & Responsible Disclosure

Security researchers and customers can report security issues to: security@portflow.tech

Please allow 90 days for us to address issues before public disclosure. We will acknowledge receipt within 24 hours and provide periodic updates. Security researchers who report critical issues will be publicly credited if desired.

Security: security@portflow.tech

General: info@portflow.tech

Sales: sales@portflow.tech

PortFlow © 2026 · All Rights Reserved · Document Version 1.0 · This whitepaper is intended for technical and security evaluation purposes.