Security & Privacy

Cadet data is sensitive. CadetCore is built with security at every level — not bolted on as an afterthought.

Data Protection

Personal data is encrypted in the database, passwords are hashed with industry-leading algorithms, and every action leaves an audit trail.

AES-256 Encryption

All personal data (names, emails) is encrypted at the column level using AES-256-GCM. Even direct database access reveals nothing.

Two-Factor Authentication

Email login codes on every sign-in by default, with optional authenticator app (TOTP) upgrade and encrypted recovery codes.

Encrypted Backups

Password-protected backups with Argon2id key derivation. Automatic schema migration means older backups are always restorable.

Full Audit Trail

Every action is logged with before-and-after detail. Exportable reports for inspections and compliance.

Granular Permissions

Custom roles with per-page access and rank-based data filtering. Staff only see the cadets relevant to their role.

Infrastructure & Authentication

Security runs through the entire stack, from password hashing to network-level protections.

Password Security

Passwords are hashed with Argon2id using OWASP-recommended parameters (19 MiB memory, 2 iterations). No reversible password storage.

  • Argon2id (OWASP parameters)
  • Progressive migration from bcrypt
  • Secure password reset via email

Session Management

JWT-based sessions with a 24-hour maximum lifetime. Every session is tied to a login timestamp and validated on each request.

  • 24-hour session expiry
  • Login timestamp validation
  • Secure HTTP-only cookies

Rate Limiting

IP-based rate limiting on sensitive endpoints prevents brute-force attacks. Account lockout after repeated failed attempts.

  • Login attempt throttling
  • 2FA code rate limiting
  • Password reset throttling

Security Headers

Industry-standard security headers are set on every response to protect against common web vulnerabilities.

  • Content Security Policy (CSP)
  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options, X-Content-Type-Options

TLS Everywhere

All traffic is encrypted in transit with TLS. HSTS ensures browsers never downgrade to plain HTTP.

  • TLS 1.2+ on all connections
  • Wildcard certificate management
  • Automatic HTTP-to-HTTPS redirect

2FA Hardening

Two-factor authentication codes are hashed (SHA-256), magic links are bound to IP and user agent, and TOTP secrets are AES-256 encrypted.

  • Hashed email verification codes
  • IP + user-agent bound magic links
  • Encrypted TOTP secrets & recovery codes

GDPR Compliance

CadetCore includes built-in privacy features to help units meet their data protection obligations.

Privacy Policy

Built-in privacy page explaining what data is collected, how it's used, and who has access.

Data Export

Cadets can export all their personal data in a single download — completions, qualifications, boating hours, and more.

Right to Erasure

Full cascade delete removes all cadet data — completions, qualifications, boating hours, class slips, and audit records.

Backup Retention

Automated daily backups with 14-day retention. Clear data lifecycle with no indefinite storage.

Questions About Security?

We take data protection seriously. Get in touch if you have questions about how CadetCore handles your unit's data.

Get in Touch