Security posture for sensitive ECCTA evidence workflows.

Original source files are intended to live in private tenant-scoped object storage. The application database stores source metadata, processing state, hashes, and redacted extracted text rather than raw source-file contents.

Each source is SHA-256 hashed at upload over the original uploaded bytes (not the redacted/extracted text). Board-pack exports preserve source-register lineage and SHA-256 hash boundaries so advisers can inspect what was included without relying on an undocumented black box.

Postgres deployments use tenant-owned tables with row-level-security expectations in the migration and security check path.

Zero-login attestation links and adviser-share links are scoped, expiring, rate-limited by token and source buckets, and stored as hashes rather than raw bearer tokens.

Token-scoped attestation and adviser-share pages use noindex and no-referrer guardrails; unavailable states avoid exposing raw tokens or internal workspace metadata.

Associated-person attestation submissions reject cross-origin browser mutations before token validation and return generic invalid/expired/revoked/rate-limit errors without echoing raw tokens.

Adviser share page views, markdown downloads, and revocations append tenant audit events with recipient and board-pack SHA context while keeping raw share bearer tokens out of audit CSV exports.

The health check verifies required signing secrets, HTTPS public origin, pilot user shape, evidence-storage configuration, email delivery configuration, worker scope, backup targets, and database connectivity before a configured pilot is considered ready.

Global browser security headers include a content security policy, frame denial, MIME sniffing protection, strict-origin referrers, HSTS, and restricted browser permissions.

Audit CSV exports are authenticated, filtered, buyer-labelled, formula-safe, and bounded to tenant audit events.

DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.

Security controls and readiness checks are product controls. They are not SOC 2, ISO 27001, Cyber Essentials, legal-compliance, or production-customer certification claims unless a signed customer artefact supplies that evidence.