Security & Privacy

Security Overview

How BookYourPTO protects your account and your organization's data — authentication, encryption, rate limiting, security headers, audit logging, and account guards.

Security Overview

BookYourPTO is built for organizations that hold sensitive people data — leave records, compensation, identity documents, and time logs. This page is the security model at a glance, so admins and security reviewers can see how the pieces fit together. Each topic links to a dedicated page with the full detail.

Layered request protection

Every API request passes through layered security checks before it reaches a handler — resolving the organization context, validating the caller's session, confirming the account is active and in good standing, enforcing the org's plan entitlements, and recording the request for monitoring.

Why re-check on every request? The account is re-validated on each call, so a deactivated user stops working promptly — even mid-session — without waiting for their session to expire.

Authentication

Login uses short-lived JWT access tokens paired with longer-lived refresh tokens stored in the database. Every refresh rotates both tokens atomically — the old pair is deleted and a new one issued — so a stolen refresh token is useful only until the legitimate client refreshes next. Reuse of a rotated token is treated as theft.

See Authentication for the login flow, token rotation, password policy, force-password-change, and forgot/reset.

Two-factor authentication & trusted devices

Optional (or org-mandated) TOTP two-factor with one-time backup codes. Devices can be trusted to skip the 2FA prompt for a limited time, and every trusted device can be listed and revoked.

See Two-Factor & Devices.

Encryption at rest

Personally identifiable information is encrypted in the database with AES-256-GCM field encryption, while still supporting fast lookups without decrypting every row.

Rate limiting

Auth-sensitive endpoints — login, two-factor verification, password reset, deletion-code requests, and data exports — are subject to strict rate limits to blunt brute-force and abuse. When a limit is hit, responses return HTTP 429 with a retryAfter value telling the client how long to wait.

Security headers

In production, responses carry hardened headers: HSTS, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, a strict referrer policy, a restrictive permissions policy, and a Content-Security-Policy.

Audit logging & monitoring

Every meaningful action is recorded with a full before/after change record, the actor, IP, user agent, and timestamp. Sign-in attempts (success and failure) are tracked separately, and an unknown-login email alert fires on logins from new locations.

Now on every plan. Audit logs are available on every plan, including Free (previously Business-only). See Plans.

See Audit & Monitoring.

Account deletion & privacy

In-app, GDPR/CCPA-compliant account deletion, organization deletion, data export, and CCPA opt-out — each confirmed where required by an emailed 6-digit code.

See Account Deletion & Privacy.

Demo-instance lockdown

The public demo runs in a locked-down mode that blocks destructive writes, so anyone can explore it without affecting other visitors.

Roles

Access is scoped by four roles — Employee, Department Head, Administrator, Executive — plus a per-user isApprover flag and department scoping. All client-side permission checks are mirrored and enforced on the server; the backend is always authoritative.

See Roles & Permissions.