Security & Access Control
CoralLedger Comply implements multiple layers of security to protect your financial data and ensure regulatory compliance.
Authentication
Two-Factor Authentication (2FA)
All users are required to set up 2FA on first login. This adds a second verification step using an authenticator app.
- Required for: All users, all sensitive operations
- Supported apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password
- Backup codes: Generated during setup for emergency access
Password Security
- Minimum 8 characters with complexity requirements (uppercase, lowercase, number, special character)
- PBKDF2 hashing with industry-standard iterations
- Password change history tracked
Session Management
- Secure cookie-based authentication
- Session timeout for inactive users
- View and revoke active sessions from Account Settings
- Login history with IP address and device tracking
Threat Protection
IP Blocking
Automatically blocks IP addresses after repeated failed login attempts. Administrators can manually block suspicious IPs.
Fraud Detection
Real-time monitoring flags suspicious activity including:
- Unusual transaction patterns
- Statistical outliers
- Rapid repeated actions
- Cross-tenant access attempts
Kill Switch
Emergency control to immediately disable fraud detection or lock down specific accounts during security incidents.
Data Protection
Multi-Tenant Isolation
Every database query is filtered by Business ID, ensuring complete data isolation between businesses. Cross-tenant access is prevented at the application and database level.
Audit Trail
All data modifications are recorded in an immutable, hash-chain verified audit log. See Audit Trail for details.
Data Retention
- Active accounts: Unlimited retention
- Closed accounts: 7-year retention per VAT Act Section 50
- WORM (Write Once Read Many) compliance for audit entries
Encryption
- TLS 1.2+ for all data in transit
- Database-level encryption for data at rest
- Secure cookie flags (HttpOnly, Secure, SameSite)
Role-Based Access Control
| Role | Permissions |
|---|---|
| Owner | Full access to all features and settings |
| Accountant | Manage transactions, returns, and reports |
| User | View-only access to data and reports |
Granular permissions can be configured per user for: Transactions, Reports, Compliance, Settings, User Management, and Security.
Best Practices
- Enable 2FA immediately — Required for all users
- Use strong, unique passwords — Don't reuse passwords from other services
- Review login history regularly — Check for unrecognized access
- Limit user permissions — Grant only the access each team member needs
- Monitor fraud alerts — Act on security notifications promptly