Built for firms that cannot afford a breach.
ConsultancyOS holds the most sensitive data a consulting firm has. Your engagement IP, your client list, your margin, your forecast. We treat security as a feature of the platform, not as a compliance checkbox. Every commit ships through the controls below.
Every read and every write is tenant scoped.
Cross tenant access is impossible by design. Tenant ownership is verified at the database layer through parent relations even on indirect models.
- ·Strict tenantId filter on every query
- ·Verified at the parent relation for tasks, dependencies, milestones
- ·Audit trail records actor, tenant, target, and diff on every mutation
- ·Optional regional data residency at Enterprise tier
Password handling and session security.
We use industry standard hashing and session protections. Passwords are never stored or returned in plaintext.
- ·bcryptjs hashing at 12 rounds for every credential
- ·Password complexity: minimum 8 characters, upper and lower case, number
- ·Password reset tokens are 48 byte cryptographic random with 1 hour expiry
- ·Anti enumeration on reset endpoints
- ·Optional SSO available on Enterprise tier
Data in transit and at rest.
TLS for everything reaching the platform. At rest encryption on the underlying database. Strong cipher suites only.
- ·TLS 1.2 minimum, HSTS enforced on every request
- ·Database encryption at rest provided by managed Postgres provider
- ·Per request security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
- ·Content Security Policy on every page
Roles, permissions, and audit.
Every action runs against role permissions before it reaches the business logic.
- ·Three core roles plus tenant configurable permissions: ADMIN, MANAGER, STAFF
- ·Client portal users authenticate separately with bearer tokens
- ·Audit log records every mutation with full diff
- ·Configurable workflow approvals for sensitive actions
Public endpoints are hardened.
Every request that hits the API runs through the same protections.
- ·Sliding window rate limiting on public and mutation endpoints
- ·SSRF validation on every outbound webhook URL
- ·ALLOWED_CONTEXT_FIELDS list prevents prototype pollution
- ·BLOCKED_FIELDS list prevents role and password modifications through update endpoints
What we accept, what we reject.
Document uploads go through a strict pipeline before they are stored.
- ·MIME type allowlist: PDF, Office, images, CSV, ZIP
- ·File size ceiling of 100MB per upload
- ·String length validation on every text field
- ·Optional document scanning at Enterprise tier
Event driven automation with guardrails.
The workflow engine is powerful, which is why it is hardened.
- ·Conditional logic with bounded execution
- ·Webhook actions validated for SSRF and protocol restrictions
- ·Audit log records every automation run with inputs and outputs
- ·Workflow logs queryable for security incident investigation
Where we are on attestations.
SOC 2 Type 2
Security, Availability, and Confidentiality. Targeting Q4 2026 attestation. Controls in place and being audited.
ISO 27001
Information security management system. Scoping in 2026 with attestation in 2027.
GDPR alignment
Data processing agreement available on request. Sub processors listed in DPA. Right to access and deletion supported via the audit endpoints.
Australian Privacy Act
Australian Privacy Principles applied across all tenants. APP 11 controls implemented.
Reporting a vulnerability.
If you have found a security issue in ConsultancyOS, please write to info@consultancyos.ai. Include the steps to reproduce, the impact you observed, and your contact details. We acknowledge within two business days and aim to resolve high severity issues within seven days.
We do not run a public bug bounty yet. We do credit responsible disclosures on this page and in our changelog.