Security Policy — Beezifi Identity

Beezifi Inc. takes security seriously. This Security Policy describes the technical and organizational safeguards implemented in the Beezifi Identity service (the "Service") to protect your account and authentication data. This policy is incorporated by reference into our Terms of Use and Privacy Policy.

Security is not an add-on — it is the foundation of Beezifi Identity. Every architectural decision is made with the assumption that the authentication layer is a high-value attack target.

1. Authentication & Credential Security

🔐

Password Hashing

bcrypt with work factor 12+. Passwords are never stored in plaintext.

🔑

Two-Factor Auth

TOTP-based 2FA (RFC 6238) available on all accounts. Admin accounts are strongly encouraged to enable it.

🎟️

JWT Sessions

JSON Web Tokens with short expiry windows, HS256 signing, issuer and audience validation.

🚦

Rate Limiting

Authentication endpoints are rate-limited (20 attempts per 15 minutes per IP) to prevent brute-force attacks.

2. Transport Security

All communication between clients and the Service is encrypted using TLS 1.2 or higher. Unencrypted HTTP connections are automatically upgraded to HTTPS. HTTP Strict Transport Security (HSTS) headers are enforced to prevent downgrade attacks.

3. HTTP Security Headers

The Service is hardened with the following HTTP security headers via Helmet.js:

Content-Security-Policy (CSP): Restricts permitted content sources
HTTP Strict Transport Security (HSTS): Forces HTTPS for all future connections
X-Frame-Options: DENY: Prevents clickjacking via iframe embedding
X-Content-Type-Options: nosniff: Prevents MIME type sniffing
Referrer-Policy: Controls referrer information in outbound requests
Permissions-Policy: Restricts browser feature access

4. CSRF Protection

All state-changing API endpoints require a valid CSRF token delivered via the X-CSRF-Token request header and validated against a double-submit cookie. This prevents cross-site request forgery attacks from malicious third-party pages.

5. OAuth2 Security

The OAuth2 authorization server implements the following safeguards:

Redirect URIs are strictly matched — wildcards and fragment-based URIs are rejected
Authorization codes are single-use and expire within 10 minutes
Client secrets are generated with cryptographic randomness (256-bit)
Tokens are tracked server-side and can be revoked at any time
User consent is explicitly required and recorded for each application and scope

6. Session Management

Sessions are stored server-side with an associated IP address, user agent, device fingerprint, and expiration timestamp. Users can view all active sessions and revoke individual sessions from their dashboard at any time. Sessions are automatically invalidated on password change.

7. Device Trust

The Service supports trusted device registration using browser fingerprinting. Trusted devices can be reviewed and revoked from the security settings panel. Device fingerprints are hashed before storage and are used only for session trust — never for tracking or profiling.

8. Access Policy Engine

Users can configure fine-grained access policies including:

Application allowlists and blocklists (which OAuth2 apps may authenticate with your account)
Geographic restrictions (allowed/blocked countries by ISO code)
Time-based access windows (allowed hours and days of week in UTC)

Policy violations are logged and blocked in real time without user notification to prevent information leakage.

9. Audit Logging

Every significant action within the Service is recorded in an append-only audit log, including:

Successful and failed login attempts
Password changes and 2FA modifications
Token issuance and revocation
OAuth2 consent grants and revocations
Policy changes and access policy denials
Admin actions and account modifications

Audit logs are retained for compliance purposes and are available to account owners and administrators within the Service.

10. Data Isolation

Authentication data is stored in access-controlled, isolated database instances. There are no shared data layers between users. Even internal Beezifi staff accessing infrastructure for support purposes follow audited, role-gated processes.

11. Shared Responsibility

Security is a shared responsibility. To protect your account, you must:

Use a strong, unique password (minimum 8 characters; we recommend 12+ with mixed case, numbers, and symbols)
Enable TOTP two-factor authentication, especially on accounts with administrative privileges
Review your active sessions regularly and revoke any you do not recognize
Review and manage trusted devices and connected OAuth2 applications periodically
Never share your password or session token with any person or application
Log out from shared or public devices
Report any suspected unauthorized access immediately to security@beezifi.com

12. Incident Response

In the event of a confirmed security incident affecting user data, Beezifi Inc. will:

Notify affected users within 72 hours of confirmation, as required by applicable law
Provide clear information about the nature of the exposure and what data was affected
Describe remediation steps taken and recommended user actions
Cooperate with applicable regulatory authorities as required

13. Vulnerability Disclosure

If you believe you have discovered a security vulnerability in the Service, please report it responsibly to us before public disclosure:

Email: security@beezifi.com
Include a clear description of the vulnerability with reproduction steps
Include the potential impact and affected components
We will acknowledge receipt within 2 business days
We will work with you to validate and remediate confirmed issues

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to remediate them. We appreciate responsible disclosure and will credit researchers where appropriate with their consent.

14. Disclaimer

DESPITE THE SECURITY MEASURES DESCRIBED IN THIS POLICY, NO SYSTEM IS 100% SECURE. BEEZIFI INC. CANNOT GUARANTEE ABSOLUTE SECURITY OF DATA TRANSMITTED OVER THE INTERNET OR STORED ON OUR SYSTEMS. BEEZIFI INC. SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS, BREACH, OR LOSS OF DATA TO THE EXTENT SUCH INCIDENT RESULTS FROM CIRCUMSTANCES BEYOND OUR REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO YOUR FAILURE TO MAINTAIN ADEQUATE PASSWORD HYGIENE, FAILURE TO ENABLE AVAILABLE SECURITY FEATURES, OR COMPROMISE OF YOUR OWN DEVICE OR NETWORK. YOUR USE OF THE SERVICE IS AT YOUR OWN RISK AS FURTHER DESCRIBED IN OUR TERMS OF USE.

15. Governing Law

This Security Policy and any disputes arising out of or relating to it shall be governed by and construed in accordance with the laws of the State of Washington, United States, without regard to its conflict-of-law provisions. By using the Service, you consent to the exclusive jurisdiction of the courts located in Washington State for any matters not subject to arbitration under our Terms of Use.

16. Contact

For security questions or to report an incident:
Email: security@beezifi.com
Response target: 2 business days for security reports