Security at MOSES
MOSES is built for regulated industrial environments where data integrity, availability, and access control are non-negotiable. Here is how we approach security at every layer.
Authentication & access control
- All portal sessions use NextAuth v5 with JWT tokens (30-day expiry)
- Passwords hashed with bcrypt (cost factor 12) — plaintext never stored
- Role-based access control with 27-feature permission matrix
- Super-admin gate protects all builder and provisioning features
- API endpoints authenticated via bearer token or session cookie
Data in transit
- All portal traffic served over HTTPS/TLS 1.3
- IVM to portal communication over HTTPS (port 443 outbound only)
- No unencrypted OT data leaves the local network
Data at rest
- PostgreSQL databases encrypted at rest on managed cloud deployments
- Daily encrypted backups with 30-day retention (managed cloud)
- Audit columns on all tables — created_by, updated_by, deleted_at
- Soft deletes — no data permanently removed without explicit request
Compliance certifications
Vulnerability management
- Dependency scanning via automated tooling on every commit
- VAPT (Vulnerability Assessment and Penetration Testing) performed annually
- Critical patches deployed within 24 hours on managed cloud
- Responsible disclosure: security@opennetworksolutions.in
21 CFR Part 11 compliance
For pharmaceutical customers, MOSES supports FDA 21 CFR Part 11 requirements for electronic records and electronic signatures:
- Electronic signatures on all form submissions (name + timestamp + role)
- Immutable audit trail — records cannot be modified after submission
- System access controls with unique user IDs and session management
- Sequence of events log preserved and retrievable on demand