Back to Docs
Shield: Active
Infrastructure Defense

Security Protocol.

1. Authentication & Identity Management

The first line of defense ensures that only verified users can enter the system.

Multi-Factor Authentication (MFA)

Beyond standard email/password, the system supports Biometric Integration (Fingerprint/FaceID) via the WebAuthn API. This is mandatory for accessing high-sensitivity nodes like Salary Management.

Secure Session Control

Single-Session Enforcement

The system prevents concurrent logins. If an Admin logs in from a new device, the previous session is invalidated to prevent credential sharing.

Auto-Timeout

Inactive sessions are automatically cleared after a set period to protect data on shared workstations at branch locations.

2. Role-Based Access Control (RBAC)

The system strictly segregates duties to prevent internal fraud and accidental data exposure.

Security Layer Staff Permissions Admin Permissions
Profile Data Read-only (Own data) Full Read/Write (All)
Attendance Write-only (Punch-clock) Read & Adjust
Salary Node No Access Full Read/Write
Analytics Hub No Access Read-only

3. Database & Network Security

Firebase Security Rules

These are server-side "guardians" that evaluate every request. Even if a user tries to bypass the website and query the database directly, the rules will block any unauthorized attempt.

Data Encryption

  • In-Transit: Encrypted via SSL/TLS during cloud sync.
  • At-Rest: Encrypted via Google Cloud Infrastructure.

Offline Persistence

Data is stored in an encrypted local cache (IndexedDB). If a computer is stolen while offline, payroll records remain inaccessible.

4. The "Sync Bridge" Integrity

Atomic Writes

Syncing data is pushed as a single "transaction." If the internet drops, the system rolls back to prevent corrupted records.

Timestamp Verification

Uses server-side timestamps to prevent "Time-In" fraud (changing local system clocks).

5. Audit & Monitoring

A

Action Logs

Logs Admin ID, Timestamp, and IP Address for every salary change or leave override.

B

Anomaly Detection

Flags "impossible" logs (e.g., Time-In at Branch A and Time-Out at Branch B within 5 minutes).

6. Security Workflow Summary

Entry

Auth + Biometrics

Validation

Session Check

Transaction

Firebase Rules

Logging

Audit Trail