Security & Compliance

Compliance-grade activity history, non-destructive review, and privacy-first user lifecycle — built into the platform.

Audit Trail

  • Opt-in Audit Log module with per-organization enable/disable — off by default, activated when your compliance needs call for it
  • Captures create, update, delete, approve, reject, status change, and login/logout events across 11 entity types (clients, projects, tasks, forms, submissions, workflows, databases, reports, announcements, groups, branches)
  • Field-level diffs with resolved display names — see "Status: Open → Completed" and "Assignee: Jane Doe → John Smith" instead of raw IDs
  • Write-time identity snapshots preserve the editor's name, email, and role even if their account is later deactivated or erased
  • Configurable retention (default 60 days) with automated daily sweep — never grows unbounded
  • Append-only Firestore security rules: audit entries cannot be edited or deleted by users, not even administrators
  • Viewer with actor, entity, action, source, and date-range filters plus CSV export for compliance packages

Audit Trail

Reviewer Notes on Submissions

  • Managers and administrators can annotate submissions without mutating the response data — your source of truth stays untouched
  • Four categories: Discrepancy, Clarification, Follow-up, Resolved — plus an "internal only" flag to separate internal review from submitter-visible comments
  • Thread view with authoring identity, timestamp, and a 15-minute edit window after posting
  • Mark notes as resolved to close out follow-ups; unresolved discrepancies bubble up in reports
  • Optional push and in-app notification to the submitter when a non-internal note is added
  • Gated by a dedicated submission:annotate permission so you control exactly who can post reviewer notes

Reviewer Notes on Submissions

Record Integrity & GDPR

  • Two-tier user lifecycle: Deactivate (reversible, preserves history and audit references) vs Hard Delete / GDPR Erasure (irreversible, for right-to-erasure requests)
  • Deactivation is the default safe path — blocks sign-in while keeping assignment, approval, and audit history intact
  • GDPR erasure replaces personal data with a tombstone while preserving referential integrity, so historical submissions, audit entries, and approval chains never point to a dangling user
  • Status filter on the Platform Users screen to isolate active, deactivated, pending, or tombstoned accounts
  • Firebase Auth disabled in lock-step with deactivation — no orphan sign-in tokens
  • Append-only audit entries survive user deletion, meeting "immutable compliance history" requirements

Record Integrity & GDPR

Multi-Tenant Isolation

  • 5-layer defense model: Firestore rules + org context provider + datasource signature + collection-group filter + Cloud Function validation
  • Every document is scoped under organizations/{orgId}/ with organizationId stamped into subcollection data for collection-group queries
  • No cross-tenant read or write path exists by construction — enforced at the security-rule layer, not just in app code
  • Role-based access control with 162 permission combinations (18 resources × 9 actions), including granular assign, approve, export, and annotate actions

Multi-Tenant Isolation

Ready to run field operations on data you can trust?

30 days free. No credit card required.