search

Security Model

How we keep victims' data safe while delivering evidence law enforcement can trust.

Security Model
chevron-rightMermaid source (click to expand)hashtag
spinner

hashtag
Core safeguards

  • Immediate protection: Victim contact fields (reporter name, email, phone, handle) are Fernet-encrypted at intake time and stored as ciphertext in the main database. Analysts see redaction markers ([VICTIM_EMAIL], [VICTIM_PHONE]) unless they explicitly request decryption via the contact endpoint.

  • No separate vault: Encrypted fields live in the same Cloud SQL instance as case data, eliminating cross-project complexity. The encryption key (I4G_CRYPTO__PII_KEY) is stored in Secret Manager.

  • Audited decryption: Decrypting victim contact information requires analyst role and is fully audit-logged with correlation IDs via GET /intakes/{id}/contact.

  • Encryption everywhere: TLS 1.3 in transit; AES-256-GCM at rest with KMS-wrapped keys rotated every 90 days. Signed dossiers include SHA-256 hash manifests for verification.

  • Least privilege: Four RBAC roles (user, analyst, admin, leo) limit visibility. Row-level security scopes queries by assigned_to. Cloud SQL uses IAM auth — no stored passwords. Seven service accounts follow least-privilege bindings.

  • Proactive monitoring: Log-based metrics trigger alerts on unusual contact decryption access, failed authentication, ingestion failures, and signature mismatches.

hashtag
Why it matters

  • Victims stay protected while their cases move forward.

  • Partners and donors see a compliant, auditable path from intake to court-ready evidence.

  • The architecture scales without relaxing privacy guarantees.

hashtag
Analytics & Partner Feed Security (Sprint 6)

hashtag
Researcher Role Restrictions

Researcher-role users receive HTTP 403 for case detail, entity detail, and export endpoints. Aggregate views (dashboard KPIs, indicator counts) are accessible. This prevents PII exposure while allowing statistical analysis.

hashtag
TLP Enforcement

The partner indicator feed API accepts a tlp query parameter (default: TLP:AMBER). Indicators are tagged with the requested TLP level. Server-side TLP classification per indicator is a future enhancement.

hashtag
Export Audit Logging

All export operations (CSV, XLSX, STIX, PDF reports) are logged to the audit_log table with actor, format, filter parameters, and result counts. Partner feed accesses are logged separately to partner_feed_audit.

hashtag
Partner API Authentication

Partner organizations authenticate via X-Partner-API-Key header. Keys are stored as SHA-256 hashes — raw keys are never persisted. Each key has:

  • Per-key rate limiting (rate_limit_per_minute)

  • Expiration control (expires_at)

  • Activation toggle (is_active)

  • Full audit trail (partner_feed_audit)

hashtag
PII Anonymization in Analytics

Analytics aggregation tables (entity_stats, indicator_stats) contain only canonical values and aggregate statistics. When records are purged, entity values are replaced with SHA-256 hashes (S1-28 anonymization strategy). The partner feed API exposes only indicator categories, types, and aggregate counts — no PII fields.

For the end-to-end evidence flow showing where encryption occurs, see Data Pipelines. For threat analytics built on these safeguards, see Threat Intelligence.

PreviousData PipelinesNextThreat Intelligence

Last updated