FALKENSign in

Security

Enterprise-grade security for procurement automation

Authentication

  • -- Adaptive MFA with risk-based TOTP challenges
  • -- Trusted-device recognition (90-day cookie)
  • -- bcrypt password hashing (14 rounds)
  • -- HMAC-signed session tokens
  • -- CSRF double-submit protection

Infrastructure

  • -- AWS VPC with private subnets (no public RDS/Redis)
  • -- TLS everywhere (ALB + ElastiCache transit encryption)
  • -- WAF with rate limiting on auth endpoints
  • -- GuardDuty threat detection
  • -- Secrets Manager for all credentials

Data protection

  • -- Per-client KMS encryption keys
  • -- RDS encryption at rest
  • -- S3 server-side encryption
  • -- Certificate bytes held in memory only
  • -- Temp files: mode 0o600, deleted in finally

Access control

  • -- Role-based access (admin, operator, viewer)
  • -- Per-client scoping for viewer accounts
  • -- Step-up authentication for sensitive operations
  • -- Comprehensive audit logging
  • -- IAM Access Analyzer for unused permissions

Digital signatures

All bid submissions are signed using GOST R 34.10-2012 digital certificates issued by NCA Kazakhstan. The signing happens server-side without NCALayer -- the private key never leaves the encrypted store. Each company uses its own certificate, isolated at the VM level.