Back to homeSecurity & access controls
Last updated: June 2026
Summary of security controls relevant to GDPR Article 32 and customer security questionnaires.
Access control & RBAC
- Academy-scoped roles: Owner, Moderator, Member, Visitor
- JWT session cookies (httpOnly, Secure, SameSite) for authenticated API access
- BFF routes validate session server-side before proxying to backend
- Owner-only routes for payments, settings, and member management
SSO / federated login
For municipalities and enterprises we integrate standard IdPs — we do not build custom SSO from scratch:
- WorkOS, Auth0, or Okta via OIDC/SAML (backend broker)
- Frontend BFF: GET /api/auth/sso/{provider} → backend authorization URL
- Same httpOnly session model after successful federation
Security & audit logging
Security-relevant events are logged for investigation and compliance:
- Authentication, consent changes, data export, account deletion (BFF + backend)
- Payment audit lines (Stripe webhook correlation IDs)
- 12-month retention default; PII minimized in logs
Penetration testing posture
Reasonable assurance through layered testing:
- Dependency scanning (npm audit) in CI on every PR
- OWASP-aligned headers (CSP, HSTS, X-Frame-Options) via next.config.mjs
- Annual third-party penetration test recommended before major public-sector rollouts
Report a vulnerability
Responsible disclosure: security@coursfy.com. Do not include personal data in reports.