strike scfPassport
Log inGet your Passport

Security

Strike Passport carries the documents your business runs on. We treat that responsibility the way financial infrastructure should: least privilege, private by default, verified at every boundary.

Strict tenant isolation

Every query in the platform is scoped to your company. Cross-tenant data access is structurally impossible: identifiers from the client are never trusted, and authorization is resolved from your session and membership on every request.

Signed URLs only

Documents live in a private storage bucket with no public access. Every download — by you, your team, or a counterparty — uses a short-lived signed URL generated per request. Uploads go directly from the browser to storage over one-time signed upload URLs.

Role-based access control

Owner, Admin, and Viewer roles govern what each team member can do. Billing changes require the Owner. Document and sharing changes require Admin. Viewers can see, not change.

Input validation everywhere

Every API input is validated with strict schemas before it touches business logic — types, lengths, formats, and enums. Malformed requests are rejected with no side effects.

Audit trail

Sensitive actions — document changes, share link creation and revocation, team changes, verification decisions, admin overrides — are written to an append-only audit log with actor, action, target, and timestamp.

Session-based authentication

Authentication uses signed, HTTP-only session tokens. Passwords are hashed with bcrypt. Public passport pages require no login and expose only what you explicitly published.

Webhook integrity

Billing state changes only through cryptographically verified Stripe webhooks with idempotent processing. Feature access is decided from our database — never from a live third-party call.

Revocation that means it

Revoking a share link takes effect immediately on the next request. Expired and revoked links return the same response as links that never existed.

Reporting a vulnerability

If you believe you have found a security issue in Strike Passport, contact us through the contact page with the subject “Security”. We review every report and respond to valid findings. Please do not access data that is not yours while investigating.