Security & Compliance

This section is written for security reviewers, enterprise partners, and auditors. It describes how Surplus protects data and controls access, citing the code that enforces each control so claims can be verified rather than taken on faith.

Each page states what is implemented today and, where relevant, what is on the roadmap — clearly labeled so there's no ambiguity about current state.

Principles

Surplus is built on a few security principles that show up consistently across the codebase:

• The API is the only door. Browsers never touch the database, cache, or file storage directly. Every read and write goes through the authenticated API, so access control lives in one place. See Request lifecycle.
• Least privilege by role. Every endpoint is gated by role, and sensitive data is scoped to the organizations a user belongs to.
• Secrets stay on the server. Database strings, signing keys, and storage credentials are injected at the app layer and never reach the browser.
• Defense in depth. Authentication, authorization, rate limiting, CORS, security headers, and input validation each do their part rather than relying on a single control.
• Verifiable, not assumed. Controls are enforced in shared, reviewable code paths — not scattered, not duplicated.

Trust boundaries

The architecture diagram captures how each connection is authenticated:

• Browser to API — authenticated with a signed session token (JWT) in an HttpOnly cookie. See Authentication.
• API to data stores — authenticated with server-only secrets (database connection strings, Redis tokens, S3 keys) that never leave the server. See Infrastructure and secrets.
• Public surfaces — the marketing site and this documentation are public and read-only, served over HTTPS.

What's covered here

• Authentication — passwordless email OTP, JWT sessions, and cookie handling.
• Authorization and access control — roles, middleware, and per-resource ownership checks.
• Data protection — PII handling, encryption in transit, log masking, and data minimization.
• Network and application security — CORS, security headers, rate limiting, and input validation.
• Infrastructure and secrets — hosting, managed data services, and secret management.
• Backups and recovery — automated database and file backups.
• Monitoring — error monitoring, request logging, and tracing.
• Dependencies and supply chain — how third-party code is managed.
• Vulnerability disclosure — how to report a security issue.

A note on scope

These pages describe the Surplus platform contained in this repository: the web client, the API server, and the supporting data stores and jobs. Where a control is partial or planned, it's marked as such — accuracy matters more than appearances.